Consortium Steals Identities via Adult Site
One of the world’s top adult-entertainment companies appears to have had one of the world’s least secure websites. I find this pretty ironic, especially following the recent attacks by “Anonymous.” Why would you store tens of thousands of usernames and passwords in “plain text” versus a high level of encryption, such as 128-bit encryption, and even more so with credit card numbers, which should be stored in a minimum of 256 bit encryption, with algorithms.
A statement from Digital Playground that said in part:
“Due to an alleged security breach, Manwin elected to temporarily shut down Digital Playground, and related websites, on March 5, 2012.”
Manwin officially took over Digital Playground and related assets on March 1, 2012, and according to allegations, the potential breach may have occurred prior to that date.
Hackers using the previously unknown moniker “The Consortium” claim to have broken into the servers of DigitalPlayground.com last weekend and stolen 72,000 usernames and passwords and 40,000 credit-card numbers.
“We are The Consortium, and we have something special for our first release,” reads a manifesto purportedly posted at admin.digitalplayround.com and reproduced on a mirroring site. “You see for a while now we have had access to digitalplayground.com, one of the five biggest porn sites in the world. But it doesn’t need any introduction from us.”
As of the afternoon of March 9, the front page of DigitalPlayground.com was up, but most links to internal pages went nowhere.
The sole link that worked, under the banner “Digital Playground is temporarily unavailable,” went to a page that stated, “We are currently verifying the security parameters on this site and upgrading the entire system in order to better safeguard your information.”
To paying users of DigitalPlayground.com, the second page apologized for the inconvenience and offered one month’s free membership at rival porn sites.
“This site has so many freaking holes that if I didn’t know it was a porn site, I would have mistaken it for a honeypot,” The Consortium’s posting quotes itself as saying.
It then goes on to describe in painful detail all the data it found relatively unprotected on Digital Playground’s servers, including the usernames and plaintext passwords of the company’s stars, some of whom are fairly well known. ”Jesse Jane’s password was on average stronger than the admins of the site, we tip our BlackHats to you Ms. Jane, one reason among many to love this mynx,” read the posting.
All of the 100 user passwords given as examples were in plaintext, not encrypted as security best practices demand. Even worse, the hackers claim that all credit-card numbers and card security codes were as well, though large parts of the two numbers used as examples were blacked out.
“These credit cards are all plaintext, but we will not be releasing or using as we do this for the love of the game not for profit and these peoples only crime was wanting some porn. We cannot justify releasing these people’s credit card info, but remember it is DP that allowed this to happen.”
The manifesto ends with a list of video files contained within the site, along with directions for downloading them for free.
If you’re a registered user of DigitalPlayground.com, here are two things you should do right away: Change the password on any other site or account that shared your Digital Playground password, and contact your credit-card company to put an alert on your account.
Parts pulled from: MSNBC