Pornhub extorted after hackers steal Premium member activity data
bleepingcomputer.com154 points by coloneltcb 18 hours ago
154 points by coloneltcb 18 hours ago
I feel extremely fortunate that I am unashamed of my sexuality, sex drive, or sexual interests. While I'd prefer that my porn history remain private, if anyone ever tried to shame me for it, I'd have no problem telling them I own my human desires.
Now, if I was a repressed person living in an area where that threatened my safety, I'd be terrified. It's a privilege that I don't have to worry about it, and that's the real problem when we get past the technical reasons why this shouldn't have happened.
> I feel extremely fortunate that I am unashamed of my sexuality, sex drive, or sexual interests
You're also lucky to live somewhere where you wouldn't face job loss, familial estrangement or even anything up to capital punishment for it.
I hope your employer and/or customers would share your attitude! Some people, depending on their occupation, might find their jobs at risk even with fairly "vanilla" viewing habits.
This is always the response to something like this but the problem is still repression. If every employee's porn viewing habits were revealed, then the employer and customers would have no choice but to still employ you and buy from you unless they want to stop doing business with all humans whatsoever, because all of them enjoy sex, even the employers and customers themselves. They don't even actually care and put on the facade because they feel social pressure themselves to pretent they don't have exactly the same urges and feelings. We can't fire the entire world.
GP has a point. Privacy rights aren't just about hiding stuffs that you may be embarrassed about. It is about safeguarding your personal identity, to protect yourself politically. Due to our tribal nature, we are always constantly judging each other whenever we form a social connection. And political exposure (from whatever source - be it our own parents, our society, our nation, the internet etc.) has created conscious / unconscious biases where some part of a person's personal identity can be a "trigger" for someone to be politically outraged, and even act on those urges. For example, some westerners get triggered when they see a burqa clad women in their streets, and some (especially in the middle-east and Asia) get triggered when they see a woman scantily clad and not "properly" attired. A muslim woman in Dubai may have no problems in wearing a burqa (or, more realistically, in covering her head as culturally required) in her office or a family function, but may like to wear a "sexier" outfits when out in pubs or discotheques. That is her multi-cultural identity and experiments in developing her own personality and identity. But if someone where to violate her privacy, by sharing a photo or video of her in a pub, expressing her sexuality through her style of dress, it could lead to an attack on her based on part of her identity. Take that at a larger scale - a lay Jew or a Muslim may prefer to appear religious amongst conservatives of his own group, even if being a Jew or a Muslim isn't a large part of their identity (i.e. they don't really define themselves through it). Or they may try to hide their religious identity amongst strangers, even they are religious - such acts may be prudent to do so, for example, in a society where antisemitism or Islamophobia is prevalent, where people do get triggered simply because you are a Jew or a Muslim.
In other words, privacy rights isn't about hiding secrets but safeguarding your own personal identity. You are of course right that if we change our own perspective about our own personal identity and behaviour, we can certainly become more comfortable with ourselves. And that can foster political changes too.
This is a weird state of affairs though. This is such a thoroughly private thing, it does not impact your work (unless illegal content is involved), so why so we care?
I know it's some sort of "trustworthiness" but that is objectively complete bs.
You might not care, but plenty of people clearly do. The current speaker of the US House of Representatives apparently cares a great deal:
https://www.theguardian.com/us-news/2023/nov/06/speaker-mike...
Perhaps your sex life is somewhat vanilla.
Imagine you are turned on by eating shit or being peed on - would you still feel so comfortable sharing g details about your sex life?
And of course, the wide spectrum in between
Mark Redwine murdered his son in 2012 after scat photos were found on his phone. (There are photos online, but not at this link.) https://www.kktv.com/2021/06/28/warning-graphic-content-phot...
I remember the head of security for a large ISP in the mid-90s tapping the IRC PRIVMSG traffic and extorting some gay guys who weren't out.
> While I'd prefer that my porn history remain private
Thats a problem as well. Right now, you're 'safe'. But having that data available attached to you can also be dangerous to you in the future.
For example, the current wave of trans-hate can easily show you as a sympathizer. That can be criminalized quite easily, given 1/4 of the country hates trans people existing.
Being gay is right now not a crime in the USA, but it has been. And many regressive countries, predominantly Muslim, also have strong punishments for gay actions. Again, this material could easily be proof of a "deviant lifestyle" and legal punishments.
No, if I consume porn, I download from Piratebay, or hop on VPN and not login. And given I live in a state that Pornhub banned due to onerous age verification/identity tying, the whatif above could easily become true. Ive read Project2025 and saw those exact plans.
> many regressive countries, predominantly Muslim, also have strong punishments for gay actions.
For accuracy it's worth stating this is only a recent occurrence.
Right now:
Nations with anti-LGBT laws: 50% Muslim, 44% Christian (2024)
Half (33) of the world’s 66 countries that have anti-LGBT laws are nations where a majority of the citizens are Muslims.
By comparison, 29 Christian-majority countries account for 44 percent of the countries that still have anti-LGBT laws on their books.
However this "predominantly Muslim" twist in the numbers is recent:
In recent years, the number of Christian-majority nations with anti-homosexuality laws has shrunk, both through court rulings (Barbados, St. Kitts and Nevis and Antigua and Barbuda in 2022; Trinidad in 2018; Belize in 2016) and through legislative action (Cook Islands in 2023, Singapore in 2022, Angola and Botswana in 2019, Seychelles and Nauru in 2016, Mozambique, São Tomé and Príncipe, and Palau in 2014).
Uganda, with an 82% Christian population is famously severe in it's punishments for gay and queer sexual activity.
With the support and funding of US conservative Christians:
US religious right at center of anti-LGBTQ+ message pushed around the world
~ https://www.theguardian.com/world/2023/jul/09/us-religious-r...
> Nations with anti-LGBT laws: 50% Muslim, 44% Christian (2024)
This statistic makes the exact opposite of the point you're trying to make, though.
Going through this table[0], and provided I didn't make any dumb mistakes with my JS, there's 122 Christian majority countries, but only 54 countries are Muslim majority. So 33 out 54 Muslim majority countries have anti-gay laws, compared to only 29 out of 122 Christian majority countries with such laws. (The more interesting comparison would perhaps be counting number of people rather than countries, though, and it still says nothing of the severity of said laws).
0. https://en.wikipedia.org/wiki/Religions_by_country#2020_Pew_...
> 1/4 of the country hates trans people existing
I'll need to dig up a reference but I've seen multiple sources cite that that 1/4 watches a disproportionately high amount of trans porn. The top most commenter is spot on about how much harm our prudishness is doing to us all.
> watches a disproportionately high amount of trans porn
That doesn't mean they don't hate trans people. Most porn shows women yet it's a hotbed of misogyny.
Yes, bigotry against a group and sexual fetishization of the same group (and, frequently, constructing a narrative in which such fetishization is deviant but the fault of the group targeted and not the fetishizers, wuch that the fetish further justified the bigotry) frequently go together. You see this with racism of all forms, you see it with transphobia, and most commonly but perhaps least frequently commented on as a manifestation of the same effect, you see it with misogyny. And that's very much mot an exhaustive list.
That can be criminalized quite easily
How exactly could trans sympathy be "criminalized"?
Laws against the "promotion of homosexuality" are how public support and education are suppressed, and could easily extend to transsexuality if that's not included already.
Have you ever heard of the US FBI and its head, Pam Bondi? Here's how she did it:
https://www.advocate.com/politics/pam-bondi-trans-equality-b...
Declare “trans” a terrorist organization.
You can't just declare an identity a terrorist organization.
I mean, that makes as much sense as declaring an idea like antifascism a terrorist organization, which is clearly impossible.
Years ago I got into/started a fight in a city.
After the fight, the brawl was blamed on the other participants, all of whom were wearing emo clothing. Black shirts, band logos, jeans.
The local police went as far as enacting a local anti gang ordnace, identified the emo wear as gang colours, and with 2 hours notice, advised that those colours were not allowed in the city for 48 hours. The security guard who helped break things up was chatting to me about it, laughing at it like it was a common consequence.
A local taxi company was cleaning up, as they accepted each emo kid, in groups of 1 - 4 and took them home to the suburbs. 20 taxis lined up, picking up kids.
Probably my first political WOW moment. I had never seen ~120 people pay for the consequences of the actions of a few.
True to their word, was 48 hours or more until I spotted them in the city again.
Governments can make any law they wish, cops tend to enforce any law they wish. Courts and appeals take time. There is nothing preventing that same city from declaring pride flags or trans icons as gang symbols.
This wasnt even in the US.
Same shit could happen anywhere, Trump could declare them terrorists identified by their symbols and tattoos, he could enforce inspections of their social media at airport checkpoints. Considering what was legal and enforced in the US in its history there's really nothing off the table going forward for persecuting anyone.
that's not how this works. that's not how any of this works.
Incorrect. That’s exactly how it works!
https://en.wikipedia.org/wiki/Persecution_of_transgender_peo...
https://www.them.us/story/trump-admin-fbi-trans-nihilistic-v...
I mean, clearly it shouldn't be how it works, and is not how it works in sensible countries, but, as people have noted, it does seem to be what ol' minihands is going for in the US.
What's great about Wikipedia... There's an article for EVERYTHING!!
https://en.wikipedia.org/wiki/Capital_punishment_for_homosex...
Not sure how passing a law that makes homosexuality punishable by death,
1: would be easy
2: would apply to sympathizers
3: would be possible
I wonder what will be the watershed lawsuit event that makes tech companies consider capturing and holding PII to be liabilities.
Agreed, but this was search and watch history. I can see an argument for not keeping search history, but if I'm paying for Spotify, YouTube, or Netflix, I'd like to go back to that song or video I enjoyed last week but can't recall the name of
In other words, this is data we as consumers want to be able to access, and therefore want kept.
It doesn’t have to be synced to the cloud though. Even if you want it on multiple devices, if the tech industry decided to try just a little bit you’d have a cross device, local store sync solution. But there’s money to be made from tracking so it gets stored on hackable cloud servers.
I was thinking the other day that people have forgotten that end-user data confidentiality is relatively simple, generally speaking, but we have built the wrong infrastructure (so far).
> but if I'm paying for Spotify, YouTube, or Netflix, I'd like to go back to that song or video I enjoyed last week but can't recall the name of
Surely this is up to the client, or perhaps explicit bookmarking capabilities. Not implicit records of what you looked for in the past
You CAN turn off watch history in Youtube (not sure about Spotify). However, for better or worse revealed preferences seem to show that people prefer automatic content recommendations over doing the search & bookmark work themselves.
Is it a revealed preference or is it an inevitable result of making the UX to turn it off hidden, frustrating to use, and come with unwanted side effects?
If companies actually think "users really, really want X" then they should have no fear making X opt-in.
Some things need to be opt in but most things don't. What makes sense to have which way is not as simple as saying "if people wanted it, they'd configure it that way". Imagine how many problems having to opt in to keeping recent files or whatever on each program you use on all of your devices would be. Apart from the annoyance of setting it up, the annoyance of forgetting to set that (among a dozen other opt-ins) on one of your dozens of programs and finding out only when you can't remember the name of the document you had open yesterday. Most people would "opt in" to use a provider which has what most consider "sane" defaults instead.
But there are obviously MANY things we prefer to keep opt-in. E.g. sharing my recents data with 3rd party advertises. No need to throw the baby out with the bath water and make every service awful by default just to have a universal rule to quote though.
All for privacy, but if you have Watchtube that has worse, less relevant personalization by default and Viewtube with better, more personalization by default, my guess is Viewtube will win the day with users
I believe Bruce Schneier suggested more than twenty years ago now that we think of personal data as like a form of toxic waste or pollution, but this metaphor doesn't seem to have caught on widely.
I thought you were thinking of this: https://youtu.be/GAXLHM-1Psk?si=hVjBZNsmmdh-P9n8
Brilliant talk.
Yeah, thought the same, should they even be allowed to save data like that?
It sounds super personal, just like religion or blood type
A leak of politicians' dirty habits should hopefully do it.
Like previously happened with video store rental records?
https://en.wikipedia.org/wiki/Bork_tapes
> The subsequent leakage and coverage of the tapes resulted in Congress passing the Video Privacy Protection Act (VPPA), which forbids the sharing of video tape rental information, amidst a bipartisan consensus on intellectual privacy.[8][9][10] Proponents of the VPPA, including Senator Patrick Leahy, contended that the leakage of Bork's tapes was an outrage.[11][12] The bill was passed in just over a year after the incident.[13][14]
Yeah and that was for innocuous tapes. Imagine what they would have done if the rentals had been salacious?
That said, if I were to imagine myself working at a place like that when they existed, I can't see myself turning over customer data like that willy-nilly to someone fishing for information. Like are you the police, what gives?
We already had some of that with the Target credit card fuck up that birthed PCI rules, which in turn birthed lots of payment card processors just so companies could wash their hands of all card holder PII rather than meet with their insane auditors.
Interestingly enough there's a legislative push to make companies verify your real ID, I believe many porn companies already do this.
Don't send PII to mixpanel, kids! It's not a CRM and should not be treated as such. Why people do this is beyond me.
Why are so many people paying for premium or even making an account at all?
The amount and variety of free porn is already enormous.
No clue but don’t some states require that you prove your age to view content? That would force you to share private information that could be leaked like this which is even more worrisome.
No it just requires you to use a VPN.
I live in one of those states. Most porn sites just ignore the law completely and the rest you can use a VPN.
Maybe it’s similar to onlyfans where people get to chat with or receive messages from a model. People also create accounts to upload content.
Yeah, if users end up paying for this leak, this unfortunately ends up, practically, being a stupidity tax...
EDIT: Best argument for paying for porn is to support the performers, but paying for a generic porn streaming service hardly seems the best way to do this.
Why do you have a HN account? The internet is full of words.
I can't post on HN without an account. How many people upload videos there? (Assuming that it is even possible for an average joe to upload porn there).
>ShinyHunters
I had an inkling! They've been on a roll this past year or so.
>This data includes a PornHub Premium member's email address, activity type, location, video URL, video name, keywords associated with the video, and the time the event occurred.
Well, that's pretty fucking wild! Email address & time and location sent to a 3rd party, nice! Absolutely no reason for that, of course. Especially considering these are paying customers!
I guess somewhat notably is Mixpanel denying that it's coming from their November breach. They have less incentive to lie in this case, given that they've already admitted to being breached, and (presumably) their systems & logs have been gone over with a fine-toothed comb to identify all affected parties:
>"The data was last accessed by a legitimate employee account at Pornhub’s parent company in 2023. If this data is in the hands of an unauthorized party, we do not believe that is the result of a security incident at Mixpanel."
This is a shining example of why I will never upload my ID to something I do not want publicly associated with me.
Conversely, being forced to use a VPN for these services is great for your personal opsec :)
That entirely depends on the trustworthiness, and opsec, of the VPN operator.
Cheap VPNs are cheap for a reason -- you are the product (well, your internet traffic and/or access to your home connection).
Private Internet Access has denied under oath that they have logs to turn over.
There is no reason to think that more reputable activist providers like Mullvad or AirVPN would if a party like PIA already doesn't.
I'd steer clear of NordVPN though. They have lots of controversy in their history and they are very financially motivated, considering the deluge of YouTube sponsorship and ads they pay for each year. Still don't think they would lie about no logs but why risk it.
Private Internet Access has denied under oath that they have logs to turn over.
Did they also testify under oath there is no lawful intercept API or anything similar? That does not require logs. In fact when the feds would set up phone call intercepts on telco switches we would intentionally disable logs and put the mainframes into "test mode". And that is even before people start playing legal word games like calling lawful intercept "debugging" or something else. Lavabit [1] found out what happens if lawful intercept is not available.
Just me personally, I would always assume a service I do not entirely control and operate is doing what it can to comply with lawful intercept requirements and they are likely playing word games to not drive away their members and I would not blame them. I am just the properly paranoid type in part due to a good upbringing by a properly paranoid person.
Considering it was a LEA that put them in court, yes, I don't think they were playing word games. Otherwise the LEA would have just forced them in court to intercept.
However, I also think threat model comes into play here. If you don't want advertisers to track you or to download some torrents, a VPN provider works great. If you want to hack into NORAD, probably do that from a secondhand laptop on Tor over a public wifi.
<I am just the properly paranoid type in part due to a good upbringing by a properly paranoid person.>
I say you've properly got your eyes open. Anyone who thinks anything you do online is completely private is naive. IF any government wants to know what you've been up to online, nothing can stop them. Privacy is a thing of the past, we should vote only for politicians who say they want the government out of our backyards, banks and bedroom. Oops, too late!
Websites that uses third-party analytics will at minimum send the IP address, time and the url when users access pages. It also very likely they will send API calls if the developers want to track those.
So if any calls looks like "https://example.invalid/api?confirmemail=user@example.invali..." would cause a leak of the email. I have seen multiple companies and websites do this (either with email or username) when signing up or after first login, and I would strongly guess that most of not all of them uses some kind of analytics for that request that leaked data.
Web developers are supposed to scrub their sites so that doesn't happen, but then the main arguments in favor of using third-party analytics is the convenience of enabling it globally with minimum effort and then getting pretty graphs for free. There are occasionally HN posts about self-hosting analytics and the common response is that its too hard and too much work.
https://techcrunch.com/2018/02/05/mixpanel-passwords/
3rd party user tracking can slurp up a lot of unexpected data, and no one ever wants to disclose problems when a vendor loses things like this. MixPanel has a long history of problems/
>This data includes a PornHub Premium member's email address, activity type, location, video URL, video name, keywords associated with the video, and the time the event occurred.
I had always known, albeit intuitively, that registering to porn websites was a dumb idea.
Time has proved me right.
Time proved you right long ago. See the Ashley Madison breach (2015):
<https://www.wnycstudios.org/podcasts/otm/segments/what-can-w...> (audio and transcript).
Based on Paul Ford's blog entry: "Fairly Random Thoughts on Ashley Madison & the Swiftly Moving Line" <https://medium.com/message/fairly-random-thoughts-on-ashley-...>.
I suppose it depends on a) what kind of content and b) your lifestyle otherwise.
I mean, no shit.
Getting compromised is more of a matter or time than ability. Someone's going to fuck up at some point.
I don’t love location tracking but their statistics blog posts are usually pretty funny/interesting. And I’m guessing part of this is to work with specific laws. I read that in US states with draconian laws, they’re actively blocking users.
The thing is, you can do the same statistics without including the user's email address or otherwise directly linking a data point to a specific person.
They may need to retain certain information for laws, but they aren't obligated by law to also share that information with their analytics partners.
Why as an engineer, would you log the entirety of a user’s info on mixpanel? I mean come on, how hard is it to have an obfuscated unique id for your users that can’t be traced back to them when logging info in third party apps? What benefit can you possibly get from logging email ids in mixpanel?
More Mixpanel shenanigans.
Forget the breach, what are they doing allowing a third party like Mixpanel access to such sensitive data in the first place?
I always teach companies to treat user information as somewhat toxic (i.e. a liability). Search and view history... it doesn't get much more personal than this.
1. take emails from other breaches 2. make files similar in structure to the ones leaked with junk links 3. flood internet with this junk data 4. problem solved
if you have an account on a porn site you were a lost cause anyways.
Anyone who used their personal or work email to sign up to a site like pornhub should expect that email to be made public one day along with any other data they have on the site, including watch history.
In the case of personal emails, that same email can usually be used to look up the victim on social media (Facebook is an example) to reveal their identity, if, like most people, they used the same email on that social media site.
As most on HN will be aware, data breaches like this are extremely common. Its not a matter of if, its a matter of when. NSFW sites in particular are more juicy targets and often have bad security.
work email to sign up to a site like pornhub
Unless you actually work in the adult entertainment industry, that seems like a massively stupid move; one that would likely lead to termination.
Honestly...be responsible for mail for at a large enough enterprise and all I can say is you'd be surprised how many people make work emails their only emails.
With or without a policy along the lines of "your work email is only for business purposes; any other use is strictly prohibited"?
You might know that. I might know that. I can assure you that there are lots of people out there who don't realise it.
My 2021 watch history? Oh no!
[dead]
Misleading title; a supplier of theirs was compromised.
But that transferred very sensitive data to a third party without anonymising the amount.
Just by replacing the email with a random anonymizedAccountId the impact would have been reduced from disaster to who cares. This was bad design from the start.
We may see some interesting news in a few days.
Just mind-bogglingly stupid to send anything about users other than a UserID number/UUID to your web tracking software.
Of course, in a sensitive situation such as that, even IP address can also be problematic, and your 3rd-party tracking software vendor gets that automatically.
If these clowns had hired someone smart instead of just copy-pasting some tracking code and throwing their whole user object at it or whatever, they would have given this some thought.
I'd have used the ability to proxy the MP tracking calls to my own server which most of these services offer but few use. That server would not keep any logs and would perform coarse GEOIP, remove the IP itself or zero the last 2 octets, and relay that information into MixPanel using custom attributes.
Just a quick back-of-napkin sketch, but even that was more thought than they put into it.
> We may see some interesting news in a few days.
Similar to Ashley Madison data breach, vulnerable to extortion and various shenanigans.
I get these spam emails all the time. Some "hacker" has my Pornhub history. They even have video (they "hacked" my laptop camera) of me, uh, enjoying myself. They're gonna leak all of it if I don't send them Bitcoin. I think it's hilarious because I'll provide that data to anyone who asks - no need for "hacking". But I'm 100% confident no one wants that data. LOL