Thousands of Adult Website Accounts Compromised

Keith writes "Tens of thousands — or maybe more — accounts to adult websites were recently declared compromised and apparently have been that way since some time in October 2007. The break occurred when the NATS software used to track and manage sales and affiliate revenues was accessed by an intruder. The miscreant apparently discovered a list of admin passwords residing on an unsecured office server at Too Much Media, which makes and maintains NATS installations for adult companies. It would appear that Too Much Media knew of the breach back in October, and rather than fixing the issue tried to bury it by threatening to sue anyone in the adult industry who talked about it." The article gives suggestions for anyone who opened an account at any adult website in the last several months.

Re:If true, this isn't particularly surprising.

[mochan_s]

In addition, it's porn. Individual end users cannot protest very much without either A: Admitting they pay for porn online or B: being the subject of askance glances and the occasional, "Methinks he doth protest too much."

You do realize that prepaid credit cards exist, right? You can set any name to it and use it. Since you don't have to have anything physical delivered and it's all online, then you can create fake names and leave out addresses.

Gift Cards

[harlows_monkeys]

This is what gift cards are for, available from numerous outlets (Safeway, Office Depot, Wal-Mart, and similar places). You can get prepaid VISA and Mastercard giftcards, which work great for purchasing porn, or other questionable things of an online nature, where you can't trust the vendor. A $50 card will typically cost about $55.

After you buy it, you go to a web site from the card vendor, enter the card number and security code, and then set the user name and billing zip code. Then go wild (well, to the extent that you can go wild with $50...). Here's one such card that is available at a lot of places.

There are also cards that you can refill from your "real" credit card, but then you are easier to trace. Might as well use a non-refillable card, purchased with cash. That way, if "all models 18 or over, proof on file" turns out to not quite be true, no credit card that can be tied to you will be in the site's records. :-)

If that's not a concern, though, and you are just trying to limit exposure of your real credit card, then go ahead with the refillable cards. In fact, there are even some that are purely online. They don't provide a physical card. You just go to their site, sign up with your credit card, and they give you a credit card number to use online, with a limit of whatever you want to transfer from your credit card. Here is one such virtual card.

NOTE: some gift cards cannot be used for porn or gambling, so choose appropriately. And some can be so used, but add a surcharge for porn.

Re:Gift Cards

[Archon-X]

No credit card information was stolen. It's impossible.
CC information does not, repeat, does not [read: is illegal to keep] on the servers of sites.
It is maintained by the billers and processors, who thankfully, have better security.

The threat of stolen CC info is FUD by the poster.

RE: The Truth

[Archon-X]

Let me be the first to actually point out the key factors in the situation.
I work in adult, and have worked with this CMS very closely for the last 2 years.
I'm not on anyone's side, but unfortunately this problem has been surrounded by a lot of misinformation.

• No credit card information was stolen. Website owners seldom [read: never] have access to this data, it's kept by the credit card processors
• The information that WAS compromised was member information, primarily email addresses, for use in spamming. It 'makes sense' - a list of verified buyers is like the 'holy grail' for spammers.
• The hackers used a list of admin accounts to poll everyone's CMS systems on the hour, and pull out this data. They have either covered their tracks well, or not at all, because they left reams of IP data, and you can see in the logs of the system itself, what information they've pulled.

It is interesting and rather important to note: The poster of the blog article is an absolute douchebag. I'm not happy with the situation obviously, I had my own system compromised, but this guy is an idiot on a warpath - 95% of what's written on his blog is off in the fairyland.
He fails to mention that he's hated by the industry, mainly for the reason that he posted 300 username / password combinations of webmasters publically, which resulted in a lot of them having money stolen from online accounts, etc.
More intelligent ramblings from this guy: My Guide To Tax Evasion - Why The Unibomber was right

Summary: The breach was real. Scope seems to be limited ONLY to member data. Signed up? Expect some spam. Signed up with a password that you use on all your accounts? check your head, change the passwords.

Read more about our friend "minusonbit" - here - on an industry forum and judge for yourself.

Re:I WROTE THE STORY. I STAND BEHIND IT 110%.

[Archon-X]

As posted before, this guy is nothing more than a troll.
It's very simple: You've cast aspertions that CC data was stolen.

Post proof. We're waiting.

Anyone can go to http://www.gofuckyourself.com/forumdisplay.php?f=26 an industry forum, search for 'minusonebit', and read for yourself about this guy, and the misinformation that surrounds him.

Re:If true, this isn't particularly surprising.

[owlnation]

In addition, it's porn. Individual end users cannot protest very much without either A: Admitting they pay for porn online or B: being the subject of askance glances and the occasional, "Methinks he doth protest too much." Some folks won't care, but the kind of people who actually have influence in the real world can't afford that kind of tarnish.

You're looking at this from an English speaking World perspective. Note that in countries such as Holland or Germany, where most of the adult/sex industry is completely legal, consumers of adult products have as much rights as any other consumer. There's also not the stigma attached to such things as there is in the UK or the US. People there would sue, and would sue openly.

All in all, in countries like Germany there's a much healthier attitude to sex and the adult industry. Both consumers and providers are much better protected there.

It seems to me that in the UK in particular (which is a semi-fascist state at best anyway) the repression and legislation of the adult industry is increasing, from what was already a very repressed and intolerant level. This is not healthy, this simply makes it easier for organized crime, and incidents like this one to occur.

Re: The Truth

[Archon-X]

Really? Not even when the user signs up for the account and enters the credit card number?

Now, I've never actually bought porn before, but assuming that porn sites work like every other ecommerce site in existance, the credit card number is most certainly entered into a form that's sent to the web server of the porn site. And if the web site has been compromised by a shell account that has premissions to modify the website software (like, say, it has been), then the credit card numbers of anyone who has signed up since the breach are likely to have been stolen. It actually doesn't work like that.
NATS, the software in question here, acts as a gateway to the payment processor. CC information is never entered or passed through NATs.
It's just the same as when you make a purchase on a website through paypal. No CC information information is ever given to the site, all they receive is a postback. That's exactly the situation here, CC data is stored on the processing servers, and is completely distinct from this mess.

It was reported that CC data was stolen, or may have been but this is entirely untrue as you can see above.

You gave a privileged SSH account to a third party, what did you expect?! No, I didn't. The accounts were NOT ssh accounts, they were logins to Web UI systems.

Seems? So even you admit you don't actually know whether credit card numbers were stolen. I do. CC numbers are not stored on this system [I sound like a broken record]. When I say 'seems', I mean that the hacker did not try to take any other information, such as affiliate information, statistics information, or anything else stored in NATS, the software in question.

I'll bet you some were stolen. Any account opened since the breach or that used a recurring payment scheme should check to make sure their credit card wasn't stolen. Rubbish. This information is not stored in the software or on any of the servers. You can 'bet' all you want. I'll take you on that wager, because you're posting and not knowing what you're talking about.