Sex worker client forum breach linked to vBulletin hack

Blackmail fears

The personal details of an estimated 250,000 clients of sex workers may have been exposed following a breach on a Dutch prostitution website, Hookers.nl.

Hookers.nl is frequented by the customers of sex workers who use it to exchange tips and reviews.

However, a vulnerability on the forum allowed an attacker to lift email addresses, usernames, IP addresses, and (encrypted) passwords.

This highly sensitive data is reportedly being offered for sale for $300 all in, on a non-exclusive basis.

Dutch broadcaster NOS, which obtained a sample of the leaked data, has been in touch with the seller, who told the outlet that they hadn’t yet made any sales but nonetheless remained confident of making some money.

Analysis of this information suggested that even though punters on the site typically had made use of pseudonym, they might still be identified through the exposed details of the email addresses used to open accounts on the forum.

The breach reportedly stemmed from the recently resolved vulnerability in vBulletin forum software.

The miscreant behind the sale of leaked information told NOS that they had abused a vulnerability in “commonly used forum software”.

RELATED vBulletin zero-day: Critical exploit leaves forum sites open to attack

Dutch business Midhold runs Hookers.nl as well as other adult services websites. The Daily Swig has approached the company for comment on the cause and scope of the breach.

We also asked Midhold what advice it had for users of its bulletin board.

The whole unsavoury data leak at Hookers.nl recalls the infamous breach of self-styled adultery facilitating website Ashley Madison back in 2015.

Various users were blackmailed in the wake of the Ashley Madison data breach and there were isolated reports of suicide.

Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, commented: “Compared to some notorious breaches that have occurred in the last 12 months involving billions of compromised records, this [Hookers.nl] data breach may seem comparatively insignificant.

“However, in terms of reputational damage it’s apt to inflict upon the victims, the impact may be unprecedentedly disastrous.”

YOU MIGHT ALSO LIKE Dutch cybercrime study shows young adults most at risk of fraud, identity theft