‘Hookers.nl is committed to privacy and we deeply regret the situation.’ Ja, hoor!
A Dutch vBulletin forum for sex workers and their clients has reportedly been hacked using that infamous RCE vuln, baring the privates (and data) of a quarter of a million people.
The forum, named Hookers.nl in an endearingly Dutch way, currently has its user data for sale for just â¬300 on a cybercriminals’ forum, according to local broadcaster NOS.
“In addition to email addresses, this includes usernames, IP addresses and passwords.Â The passwords are protected and cannot be cracked just like that, but the email addresses of users are legible,” said the broadcaster, which viewed some of the data itself to verify the data blab.
Although users of the forum tended to sign up with pseudonymous usernames, apparently the email addresses registered to some accounts include real names â for example, firstname.lastname@example.org.
vBulletin zero-day KOs Comodo user forums â that’s 245,000 accounts at risk of compromise
The forum currently has a thread running in which alarmed sex workers and clients alike are asking site admins to delete their accounts and all details associated with them.
A statement posted by an administrator said:
vBulletin has released a software patch that we have implemented after testing to address the leak.
Nevertheless, a data breach has occurred and the email addresses have been stolen from all users. Please note the passwords. These email addresses have been offered for sale online by hackers. Offering this information for sale is punishable by law and if possible we will take legal action against this.
One panicky user replied: “The email address with which I originally registered is an old address that is no longer in use. So I no longer have access to this email address. I also cannot change the email address associated with this account in my profile settings: if I click on the ‘Account’ tab in my profile, I will always be redirected to the Hookers homepage. I cannot view or adjust my settings and data. Because I therefore cannot change my email address, I can therefore no longer change my account password!”
Meanwhile, the person hawking the stolen data told NOS: “It’s only about three hundred thousand usersâ¦ Tens of thousands of websites are hacked every day. I’m not the devil. It’s not a question of whether your website is hacked, but when.”
Naturally, the stolen data presents a severe blackmail risk for anyone using the site who wouldn’t want this known in their public life.
Inevitably the hack will draw parallels with the Ashley Madison breach of 2015, where a site promoting illicit hookups for married couples had its entire user database lifted. Its internal security was pretty poor, as later investigations found.
Dutch tech news site Tweakers reported that the attacker used the same vBulletin vuln that Comodo failed to patch after the zero-day was made public in September. Â®