Adult site Luscious data breach affects more than a million users

data leak warning

Adult content-sharing website Luscious has suffered a data breach, exposing the private information of 1.195 million of the site's users.

The leaked information included usernames, personal email accounts, locations, gender, activity logs and in some cases full names.

Researchers from vpnMentor discovered the breach last week and that it was patched on Monday. It estimated around 20% of the accounts used fake email addresses but highlighted that 800,000 genuine accounts and actively used emails were breached.

The researchers also said that "many users" joined Luscious using their government email addresses, evidence of this came from users in Brazil, Italy, Australia and Malaysia.

"This adds a great deal of additional vulnerability not just to the users, but also their employers," said vpnMentor. "With access to employee email addresses, criminal hackers can target government agencies and departments in a number of ways."

Users affected mainly resided in France, Germany, Russia, Brazil, Italy, Canada and Poland and their leaked user activity revealed uploaded videos, user IDs, followers, accounts followed and blog posts.

The blog post exposures were particularly concerning to researchers due to how emotionally charged they were. Depressive and otherwise vulnerable content was viewed by researchers in the breach which de-anonymised many users, tying the content to their real identities.

Those who uploaded images to the site were also indexed including details of who created them.

"A data breach on this scale is always a serious issue and some might say that the sensitivity of this site makes it all the more worrying - with an increased potential for hackers to exploit individual site users whose identities have been exposed," said Ed Macnair, CEO at Censornet. "The nature of the data taken is also concerning - it has been reported that some of the users had government email accounts.

"This is hugely concerning as it risks exposing an entire organisation to an attack. It is therefore vital that organisations - government or otherwise - put strict measures on internet activity at work and discourage the use of work email addresses for personal services," he added.

vpnMentor notes that the effect of the data breach could be "ruinous" for the affected users' personal lives and relationships.

Access to the breached information gives hackers the opportunity to exploit users in things like sextortion scams or to just expose them online for being members of, and possibly posters to, the site.

In addition to sextortion scams, which the researchers said "given the sensitive nature of this data breach, victims are incredibly vulnerable and likely to pay", leaking email adresses and names also gives phishers the ammunition they need to construct sophisticated campaigns.

"By revealing personal details like email addresses and location, the Luscious data breach helps criminals target users for future exploitation, fraud, or theft," said vpnMentor. "They can use this information to create effective fraudulent emails and send them directly to a user's email inbox - that way, they also stand out from spam and junk mail."

Users have been advised to change their login details immediately, including usernames and email addresses. They've also been advised to make usernames completely unrelated to the associated email address to reduce the risk of being identified.

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.