BangBros has allegedly exposed sensitive user and model information. This revelation comes from the cybersecurity research team at Cybernews, which discovered over eight gigabytes of sensitive data in June.

The leaked data includes IP addresses, usernames, messages, countries, geolocations, and model details such as names, ages, and descriptions. Mantas Kasiliauskis, an information security researcher at Cybernews, explained, “Although the credentials were not leaked directly, hackers can associate the IP addresses with the identity from other leaks.”

The data was first indexed by search engines, where it appeared on June 3rd, 2024. The instance is now closed. However, there’s a risk that malicious actors or other third parties have also accessed and exfiltrated the data.

The exposed data was stored on an unprotected instance of Elasticsearch, a distributed document storage system often used for high-volume data. The largest file contained nearly 11 million records. Cybernews researchers believe this data was left unprotected due to an inadvertent configuration error.

The sensitive information in the leak includes the following:

• IP addresses
• Usernames
• User agents (device type, OS, browser, version, configuration, etc.)
• Messages (feedbacks)
• Country
• Geolocation (latitude and longitude with four decimal places, meaning a precision of approximately 11 meters (36 feet), which may be derived from IP)
• Model names, genders, descriptions
• Model statistics (upvotes, downvotes, views)

Upon discovering the leak, Cybernews contacted BangBros, and the company promptly fixed the error. However, the risk to users remains if adversaries accessed the data.

“If bad actors managed to get their hands on this data, they might trace and link adult content viewers’ habits to specific individuals,” Kasiliauskis warned. “Combined with other private information, this could lead to significant privacy issues, cause personal embarrassment, and result in social stigma in places with conservative attitudes.”

The incident highlights the growing prevalence of cyberattacks and data breaches. Cyberattacks now occur roughly once every 39 seconds, with more than 800,000 people falling victim each year. Notably, 17% of all data breaches involve malware infections, and criminal hacking is responsible for over 45% of sensitive data leaks. Malware attacks cost companies an average of $2.6 million, with 95% of all breaches targeting government organizations, technological companies, or retail groups.

Cybersecurity professionals estimate that more than 800,000 people experience ransomware attacks, phishing attacks, or data security breaches each year.

Notable data breaches in recent history underscore the magnitude of the problem. Marriott experienced a security breach that exposed the information of over 142 million guests. Twitter (now X) suffered a breach targeting accounts of former presidents and world figures, including Elon Musk, resulting in 300 transactions worth $121,000 in Bitcoin. Hackers stole the information of more than 57 million Uber drivers and customers. Yahoo endured one of the largest data breaches ever, with over 3 billion accounts hacked.

Information from over 8 million users was downloaded by a former disgruntled employee through Cash App Investing, a stock trading feature accessible through CashApp’s service. It’s important to note that information held through Cash App Investing is separate from Cash App’s main product, which is a person-to-person payment service.

Most recently, AT&T learned that customer data was illegally downloaded. The data does not contain the content of calls or texts, personal information such as Social Security numbers, dates of birth, or other personally identifiable information. It also does not include some typical information you see in your usage details, such as the time stamp of calls or texts.

As cyberattacks become increasingly sophisticated and frequent, organizations across all sectors must prioritize cybersecurity measures to protect sensitive data and maintain user trust.

The BangBros incident serves as a stark reminder of the potential consequences of data breaches, especially considering the government wants you to share your driver’s license and other biometric data online with new age verification laws.