Thursday, February 23, 2012

The YouPorn Chat leak revealed a lot more than email addresses and passwords

Yesterday came the news that YouPorn Chat (a third-party chat service affiliated with YouPorn) had accidentally left log files containing information about registering customers on a public server. The data appeared to have exposed the email addresses and passwords of many people signing up for their chat service between 2008 and 2012.

That seemed pretty bad, but there's something even more surprising in the YouPorn Chat data: phone numbers and dates of birth. The data saved in the log files includes the username, password, email address, country and various other bits of internal information.

But there are two other fields that don't seem to be mentioned in news reports: dob and msisdn. The dob looks like it's the date of birth of the person registering and it is always filled in (although many of those dates of birth are likely to be random selections---who'd give their real date of birth to a porn chat site?!?).

The msisdn is even more interesting. It looks like it's the header that some mobile phone services send containing the mobile subscriber's phone number. (It's not clear from the hacked data whether YouPorn Chat was asking people to volunteer their phone number or not, although if I had to guess the use of the term 'msisdn' makes me think it came from the relevant header). Since the chat site appears to be down I can't check whether they were asking for the phone number, if they weren't then it looks like they were capturing the number probably without the user knowing (can anyone who's seen the sign up form confirm this?).

However the msisdn was obtained there are real phone numbers in there: almost 40,000 entries with a phone number of some kind.

So, for some accounts you've got email address, password, date of birth and phone number. Not to mention all the people who used their work email address to sign up for YouPorn Chat.

PS A careful look at the numbers reveals that some look faked and some look like non-mobile numbers. That would point to the most likely explanation being that YouPorn Chat asked for the person's phone number.

