Members of the porn site xHamster should be changing their passwords today after a set of nearly 380,000 usernames, emails and poorly hashed passwords appeared online.
The subscription-only breach notification site LeakBase has published the set of login credentials, which Motherboard reports were being traded online. It’s not clear exactly where the database originated, but it contains information for only a small subset of xHamster’s 12 million registered users. While xHamster doesn’t require viewers to register with the site, those who do can comment and make video playlists.
Still, the leaked information has the potential to embarrass users — several of the accounts are linked to U.S. Army and other government email addresses. If xHamster’s subscribers reused their passwords on other sites, their accounts on those sites are at risk of compromise, as well.
“The passwords of all xHamster users are properly encrypted, so it is almost impossible to hack them. Thus, all the passwords are safe and the users data secured,” an xHamster spokesperson told Motherboard.
But a spokesperson for LeakBase disagreed, telling TechCrunch that the passwords were hashed with the MD5 algorithm, which is considered insecure. “MD5 hashes are trivial and easy to crack,” the spokesperson said. “The fact they think the hashes are secure is a blatant example of the faulty security placed in companies even to this day.”
LeakBase provided TechCrunch with a set of 60 user credentials in order to verify the breach, and the emails do appear to correspond with registered xHamster accounts.