VTS Media's privacy gaffe leaves thousands at risk for blackmail and harassment.

A group of webcam sites belonging to VTS Media, including webcampornoxxx.net and amateur.tv, failed to protect sensitive personal information of its database of users and webcam models.

Based in Spain, with a database of clients from all over the world but mainly focused across Europe, the popular sites left data such as private messages, login information, email, and IP addresses unencrypted.

According to VTS Media, the leaked data was taken between May 24, 2019, and September 4, 2019. It affects 330,000 users, approximately half of which are webcam models and half are clients.

Of particular concern is that the leak allows connections to be made between usernames, personal information, and videos watched, exposing users’ sexual behavior.

This raises the risk of blackmail and threats for all performers and users who had their information exposed.

It also leaves people belonging to marginalized groups at risk of being outed and targeted for online and in-person abuse, such as members of the LGBT+ community, sex workers, and users with kinks and fetishes.

Some of these users could be connected to personal information, allowing for the doxxing of site users. The practice of doxxing refers to the process of posting or sharing private and identifiable data about a person with the intent of causing direct or indirect harm.

Although the database has now been hidden, all users and sex workers across any of the affected sites should take steps to protect their information, including changing usernames and passwords in order to limit fraudulent activity on their accounts.

This leak did not affect the payment systems, which were instead processed by a separate provider off-site and are protected.

Therefore, users do not need to be concerned about the safety of their credit card details. Sites across VTS media only hold the last three digits of the card, which would not allow for fraudulent purchases to be made.

VTS Media responds

A statement made by the owner of the webcam sites, VTS media, confirmed the leak occurred, but clarified that steps have since been taken to ensure that users’ data is better protected in the future.

VTS Media said it has now encrypted all information stored by the site, meaning that personal data would not be accessible if there were to be another leak or cyber incident. It has also reached out to all users affected by the leak via email to discuss measures to secure their accounts.

VTS Media claims the exposed data was not going to be used for analysis or curating user-profiles and stated that the collection of this data was due to a “technical malfunction,” which allowed for the storage of login information.

This issue is under further investigation by the site in order to understand how this error was made.

The dark side of database leaks

This is not the first time that a website has leaked personal information of a sensitive, sexual nature.

In 2015, the extramarital affair website Ashley Madison suffered a cyber attack, accessing the personal information of users including their legal names, addresses, and payment records.

This information was posted on the dark web in a data-dump and led to a rise in online hate crimes and two unconfirmed reports of suicides due to the information leaked.

Ashley Madison settled a class-action lawsuit against the users who suffered from the leak for $11.2 million in 2017.

Furthermore, in August 2019, adult content-sharing site Luscious left user data unprotected allowing access to over 1 million accounts. The website was popular for pornographic content and blog posts, but due to an error in authentication on the site, all user data was available to view such as full names and email addresses so that the content posted could be de-anonymized.

However, unlike previous leaks, VTS Media is located in Spain and thus part of the European Union, which introduced General Data Protection Regulation (GDPR), bringing into effect tighter restrictions on data management.

The release of private data can lead to a hefty fine of up to 4% of the annual turnover. There has not been a response from VTS Media in relation to GDPR concerns.

It will be interesting to observe how this leak impacts future policy regarding data protection on online sex sites and the steps webcam and pornographic websites will take to better protect the privacy and anonymity of their users.

Image sources: pixel2013