A popular hentai porn site that promises anonymity to its 1.1 million users left a user database exposed without a password, allowing anyone to identify users by their email addresses.
You might not have heard of Luscious.net unless you’re into hentai and manga porn but it’s one of the most popular websites in the U.S., ranking in the top 5,000 sites in traffic, per Alexa data.
Security researchers discovered the security lapse and provided exclusively to TechCrunch details of the exposed database.
But our efforts to reach the site owner over the past week to get the database secured were unsuccessful. We emailed the owner — whose email address was found in the very first user record — to disclose the security lapse, but we did not hear back after several follow-ups. We sent the owner a note through the site’s contact form, through Facebook Messenger and over a LinkedIn contact request, and we sent several text messages based off the site’s historical registration data.
We passed on a message to the site’s web host, which took action to block access to the database, allowing us to publish.
Only after we published, the site’s owner responded to our emails and confirmed the security lapse. “We will be reaching out to any compromised users to warn them about the potential exposure of their private email addresses,” said the site owner.
The database contained what appeared to be the site’s entire back-end database, including more than 235,000 albums, 30,000 user blog posts and 900 videos. The data also contained details of the site’s 19.7 million photos.
The exposed data also included records that connected all of a user’s activity on the site, including their username, blog posts, followers and locations. Those records also contained users’ non-public email addresses. We found that although some accounts signed up with a fake email address, our testing showed that many of the emails were real, allowing us to identify real-world individuals who used the site.
There were no passwords in the database, however.
TechCrunch verified the exposed data by creating an account on the site and searching for the username we had just created in the database. It appeared near-instantly, indicating the database was live updating and was not a static backup file.
The database was exposed since at least August 4, according to data from Shodan, a search engine for exposed devices and databases.
It’s the latest example of exposed or leaking data — where companies fail to protect their users’ data by protecting their databases with a password or basic security mechanisms. In recent months we’ve seen a cryptocurrency loan site expose credit cards, thousands of exposed medical injury claim reports and a security lapse at dating app JCrush.
Updated with response from site owner.