Pornhub extorted after hackers steal Premium member activity data

Posted by coloneltcb 13 hours ago

Comments

Comment by alsetmusic 8 hours ago

I feel extremely fortunate that I am unashamed of my sexuality, sex drive, or sexual interests. While I'd prefer that my porn history remain private, if anyone ever tried to shame me for it, I'd have no problem telling them I own my human desires.

Now, if I was a repressed person living in an area where that threatened my safety, I'd be terrified. It's a privilege that I don't have to worry about it, and that's the real problem when we get past the technical reasons why this shouldn't have happened.

Comment by mitthrowaway2 6 hours ago

I hope your employer and/or customers would share your attitude! Some people, depending on their occupation, might find their jobs at risk even with fairly "vanilla" viewing habits.

Comment by nonameiguess 6 minutes ago

This is always the response to something like this but the problem is still repression. If every employee's porn viewing habits were revealed, then the employer and customers would have no choice but to still employ you and buy from you unless they want to stop doing business with all humans whatsoever, because all of them enjoy sex, even the employers and customers themselves. They don't even actually care and put on the facade because they feel social pressure themselves to pretent they don't have exactly the same urges and feelings. We can't fire the entire world.

Comment by Griffinsauce 5 hours ago

This is a weird state of affairs though. This is such a thoroughly private thing, it does not impact your work (unless illegal content is involved), so why so we care?

I know it's some sort of "trustworthiness" but that is objectively complete bs.

Comment by rgmerk 4 hours ago

You might not care, but plenty of people clearly do. The current speaker of the US House of Representatives apparently cares a great deal:

https://www.theguardian.com/us-news/2023/nov/06/speaker-mike...

Comment by gessha 5 hours ago

Women have been fired for less so it really depends on your situation.

Comment by 5 hours ago

Comment by AlecSchueler 1 hour ago

> I feel extremely fortunate that I am unashamed of my sexuality, sex drive, or sexual interests

You're also lucky to live somewhere where you wouldn't face job loss, familial estrangement or even anything up to capital punishment for it.

Comment by qingcharles 1 hour ago

I remember the head of security for a large ISP in the mid-90s tapping the IRC PRIVMSG traffic and extorting some gay guys who weren't out.

Comment by mystraline 8 hours ago

> While I'd prefer that my porn history remain private

Thats a problem as well. Right now, you're 'safe'. But having that data available attached to you can also be dangerous to you in the future.

For example, the current wave of trans-hate can easily show you as a sympathizer. That can be criminalized quite easily, given 1/4 of the country hates trans people existing.

Being gay is right now not a crime in the USA, but it has been. And many regressive countries, predominantly Muslim, also have strong punishments for gay actions. Again, this material could easily be proof of a "deviant lifestyle" and legal punishments.

No, if I consume porn, I download from Piratebay, or hop on VPN and not login. And given I live in a state that Pornhub banned due to onerous age verification/identity tying, the whatif above could easily become true. Ive read Project2025 and saw those exact plans.

Comment by defrost 6 hours ago

> many regressive countries, predominantly Muslim, also have strong punishments for gay actions.

For accuracy it's worth stating this is only a recent occurrence.

Right now:

Nations with anti-LGBT laws: 50% Muslim, 44% Christian (2024)

  Half (33) of the world’s 66 countries that have anti-LGBT laws are nations where a majority of the citizens are Muslims.

  By comparison, 29 Christian-majority countries account for 44 percent of the countries that still have anti-LGBT laws on their books.

~ https://76crimes.com/2024/02/11/nations-with-anti-lgbt-laws-...

However this "predominantly Muslim" twist in the numbers is recent:

  In recent years, the number of Christian-majority nations with anti-homosexuality laws has shrunk, both through court rulings (Barbados, St. Kitts and Nevis and Antigua and Barbuda in 2022; Trinidad in 2018; Belize in 2016) and through legislative action (Cook Islands in 2023, Singapore in 2022, Angola and Botswana in 2019, Seychelles and Nauru in 2016, Mozambique, São Tomé and Príncipe, and Palau in 2014).

~ (quote from above source)

Uganda, with an 82% Christian population is famously severe in it's punishments for gay and queer sexual activity.

With the support and funding of US conservative Christians:

US religious right at center of anti-LGBTQ+ message pushed around the world

~ https://www.theguardian.com/world/2023/jul/09/us-religious-r...

Comment by pdpi 4 hours ago

> Nations with anti-LGBT laws: 50% Muslim, 44% Christian (2024)

This statistic makes the exact opposite of the point you're trying to make, though.

Going through this table[0], and provided I didn't make any dumb mistakes with my JS, there's 122 Christian majority countries, but only 54 countries are Muslim majority. So 33 out 54 Muslim majority countries have anti-gay laws, compared to only 29 out of 122 Christian majority countries with such laws. (The more interesting comparison would perhaps be counting number of people rather than countries, though, and it still says nothing of the severity of said laws).

0. https://en.wikipedia.org/wiki/Religions_by_country#2020_Pew_...

Comment by ethagnawl 7 hours ago

> 1/4 of the country hates trans people existing

I'll need to dig up a reference but I've seen multiple sources cite that that 1/4 watches a disproportionately high amount of trans porn. The top most commenter is spot on about how much harm our prudishness is doing to us all.

Comment by mmooss 7 hours ago

> watches a disproportionately high amount of trans porn

That doesn't mean they don't hate trans people. Most porn shows women yet it's a hotbed of misogyny.

Comment by dragonwriter 4 hours ago

Yes, bigotry against a group and sexual fetishization of the same group (and, frequently, constructing a narrative in which such fetishization is deviant but the fault of the group targeted and not the fetishizers, wuch that the fetish further justified the bigotry) frequently go together. You see this with racism of all forms, you see it with transphobia, and most commonly but perhaps least frequently commented on as a manifestation of the same effect, you see it with misogyny. And that's very much mot an exhaustive list.

Comment by WillPostForFood 7 hours ago

That can be criminalized quite easily

How exactly could trans sympathy be "criminalized"?

Comment by why-o-why 3 hours ago

Have you ever heard of the US FBI and its head, Pam Bondi? Here's how she did it:

https://www.advocate.com/politics/pam-bondi-trans-equality-b...

Comment by nkrisc 7 hours ago

Declare “trans” a terrorist organization.

Comment by 7 hours ago

Comment by dragonwriter 5 hours ago

You can't just declare an identity a terrorist organization.

I mean, that makes as much sense as declaring an idea like antifascism a terrorist organization, which is clearly impossible.

Comment by protocolture 4 hours ago

Years ago I got into/started a fight in a city.

After the fight, the brawl was blamed on the other participants, all of whom were wearing emo clothing. Black shirts, band logos, jeans.

The local police went as far as enacting a local anti gang ordnace, identified the emo wear as gang colours, and with 2 hours notice, advised that those colours were not allowed in the city for 48 hours. The security guard who helped break things up was chatting to me about it, laughing at it like it was a common consequence.

A local taxi company was cleaning up, as they accepted each emo kid, in groups of 1 - 4 and took them home to the suburbs. 20 taxis lined up, picking up kids.

Probably my first political WOW moment. I had never seen ~120 people pay for the consequences of the actions of a few.

True to their word, was 48 hours or more until I spotted them in the city again.

Governments can make any law they wish, cops tend to enforce any law they wish. Courts and appeals take time. There is nothing preventing that same city from declaring pride flags or trans icons as gang symbols.

This wasnt even in the US.

Same shit could happen anywhere, Trump could declare them terrorists identified by their symbols and tattoos, he could enforce inspections of their social media at airport checkpoints. Considering what was legal and enforced in the US in its history there's really nothing off the table going forward for persecuting anyone.

Comment by stronglikedan 6 hours ago

that's not how this works. that's not how any of this works.

Comment by rsynnott 42 minutes ago

I mean, clearly it shouldn't be how it works, and is not how it works in sensible countries, but, as people have noted, it does seem to be what ol' minihands is going for in the US.

Comment by mmh0000 6 hours ago

Incorrect. That’s exactly how it works!

https://en.wikipedia.org/wiki/Persecution_of_transgender_peo...

https://www.them.us/story/trump-admin-fbi-trans-nihilistic-v...

Comment by hiddencost 6 hours ago

[flagged]

Comment by mmh0000 7 hours ago

What's great about Wikipedia... There's an article for EVERYTHING!!

https://en.wikipedia.org/wiki/Capital_punishment_for_homosex...

Comment by WillPostForFood 5 hours ago

Not sure how passing a law that makes homosexuality punishable by death,

1: would be easy

2: would apply to sympathizers

3: would be possible

Comment by 3 hours ago

Comment by sapphicsnail 4 hours ago

It's been done before

Comment by neilv 9 hours ago

I wonder what will be the watershed lawsuit event that makes tech companies consider capturing and holding PII to be liabilities.

Comment by xethos 9 hours ago

Agreed, but this was search and watch history. I can see an argument for not keeping search history, but if I'm paying for Spotify, YouTube, or Netflix, I'd like to go back to that song or video I enjoyed last week but can't recall the name of

In other words, this is data we as consumers want to be able to access, and therefore want kept.

Comment by afavour 7 hours ago

It doesn’t have to be synced to the cloud though. Even if you want it on multiple devices, if the tech industry decided to try just a little bit you’d have a cross device, local store sync solution. But there’s money to be made from tracking so it gets stored on hackable cloud servers.

Comment by mmooss 5 hours ago

I was thinking the other day that people have forgotten that end-user data confidentiality is relatively simple, generally speaking, but we have built the wrong infrastructure (so far).

Comment by 9 hours ago

Comment by MangoToupe 9 hours ago

> but if I'm paying for Spotify, YouTube, or Netflix, I'd like to go back to that song or video I enjoyed last week but can't recall the name of

Surely this is up to the client, or perhaps explicit bookmarking capabilities. Not implicit records of what you looked for in the past

Comment by dkokelley 9 hours ago

You CAN turn off watch history in Youtube (not sure about Spotify). However, for better or worse revealed preferences seem to show that people prefer automatic content recommendations over doing the search & bookmark work themselves.

Comment by ryandrake 9 hours ago

Is it a revealed preference or is it an inevitable result of making the UX to turn it off hidden, frustrating to use, and come with unwanted side effects?

If companies actually think "users really, really want X" then they should have no fear making X opt-in.

Comment by zamadatix 8 hours ago

Some things need to be opt in but most things don't. What makes sense to have which way is not as simple as saying "if people wanted it, they'd configure it that way". Imagine how many problems having to opt in to keeping recent files or whatever on each program you use on all of your devices would be. Apart from the annoyance of setting it up, the annoyance of forgetting to set that (among a dozen other opt-ins) on one of your dozens of programs and finding out only when you can't remember the name of the document you had open yesterday. Most people would "opt in" to use a provider which has what most consider "sane" defaults instead.

But there are obviously MANY things we prefer to keep opt-in. E.g. sharing my recents data with 3rd party advertises. No need to throw the baby out with the bath water and make every service awful by default just to have a universal rule to quote though.

Comment by bayesnet 8 hours ago

All for privacy, but if you have Watchtube that has worse, less relevant personalization by default and Viewtube with better, more personalization by default, my guess is Viewtube will win the day with users

Comment by schoen 9 hours ago

I believe Bruce Schneier suggested more than twenty years ago now that we think of personal data as like a form of toxic waste or pollution, but this metaphor doesn't seem to have caught on widely.

Comment by yakshaving_jgt 8 hours ago

I thought you were thinking of this: https://youtu.be/GAXLHM-1Psk?si=hVjBZNsmmdh-P9n8

Brilliant talk.

Comment by TheCraiggers 5 hours ago

We already had some of that with the Target credit card fuck up that birthed PCI rules, which in turn birthed lots of payment card processors just so companies could wash their hands of all card holder PII rather than meet with their insane auditors.

Comment by Nextgrid 9 hours ago

A leak of politicians' dirty habits should hopefully do it.

Comment by neilv 8 hours ago

Like previously happened with video store rental records?

https://en.wikipedia.org/wiki/Bork_tapes

> The subsequent leakage and coverage of the tapes resulted in Congress passing the Video Privacy Protection Act (VPPA), which forbids the sharing of video tape rental information, amidst a bipartisan consensus on intellectual privacy.[8][9][10] Proponents of the VPPA, including Senator Patrick Leahy, contended that the leakage of Bork's tapes was an outrage.[11][12] The bill was passed in just over a year after the incident.[13][14]

Comment by mc32 7 hours ago

Yeah and that was for innocuous tapes. Imagine what they would have done if the rentals had been salacious?

That said, if I were to imagine myself working at a place like that when they existed, I can't see myself turning over customer data like that willy-nilly to someone fishing for information. Like are you the police, what gives?

Comment by le-mark 8 hours ago

I wouldn’t count on it. The current administration has normalized the complete lack of decency and accountability.

Comment by newspaper1 8 hours ago

Interestingly enough there's a legislative push to make companies verify your real ID, I believe many porn companies already do this.

Comment by dyl000 27 minutes ago

if you have an account on a porn site you were a lost cause anyways.

Comment by rurban 4 minutes ago

With an anonymous name and a throwaway email of course.

Comment by rjdj377dhabsn 7 hours ago

Why are so many people paying for premium or even making an account at all?

The amount and variety of free porn is already enormous.

Comment by r0m4n0 5 hours ago

No clue but don’t some states require that you prove your age to view content? That would force you to share private information that could be leaked like this which is even more worrisome.

Comment by dieselgate 2 hours ago

Maybe it’s similar to onlyfans where people get to chat with or receive messages from a model. People also create accounts to upload content.

Comment by D-Machine 5 hours ago

Yeah, if users end up paying for this leak, this unfortunately ends up, practically, being a stupidity tax...

EDIT: Best argument for paying for porn is to support the performers, but paying for a generic porn streaming service hardly seems the best way to do this.

Comment by lisp2240 5 hours ago

Why do you have a HN account? The internet is full of words.

Comment by Beijinger 4 hours ago

I can't post on HN without an account. How many people upload videos there? (Assuming that it is even possible for an average joe to upload porn there).

Comment by D-Machine 4 hours ago

An HN account also doesn't even require a verified e-mail...

Comment by adithyassekhar 1 hour ago

Why haven't we've been flooded with spam yet?

Comment by rkagerer 4 hours ago

Forget the breach, what are they doing allowing a third party like Mixpanel access to such sensitive data in the first place?

I always teach companies to treat user information as somewhat toxic (i.e. a liability). Search and view history... it doesn't get much more personal than this.

Comment by cmiles8 12 hours ago

More Mixpanel shenanigans.

Comment by jfindper 11 hours ago

>ShinyHunters

I had an inkling! They've been on a roll this past year or so.

>This data includes a PornHub Premium member's email address, activity type, location, video URL, video name, keywords associated with the video, and the time the event occurred.

Well, that's pretty fucking wild! Email address & time and location sent to a 3rd party, nice! Absolutely no reason for that, of course. Especially considering these are paying customers!

I guess somewhat notably is Mixpanel denying that it's coming from their November breach. They have less incentive to lie in this case, given that they've already admitted to being breached, and (presumably) their systems & logs have been gone over with a fine-toothed comb to identify all affected parties:

>"The data was last accessed by a legitimate employee account at Pornhub’s parent company in 2023. If this data is in the hands of an unauthorized party, we do not believe that is the result of a security incident at Mixpanel."

Comment by reorder9695 10 hours ago

This is a shining example of why I will never upload my ID to something I do not want publicly associated with me.

Comment by arealaccount 10 hours ago

Conversely, being forced to use a VPN for these services is great for your personal opsec :)

Comment by dredmorbius 10 hours ago

That entirely depends on the trustworthiness, and opsec, of the VPN operator.

Comment by mywittyname 10 hours ago

Cheap VPNs are cheap for a reason -- you are the product (well, your internet traffic and/or access to your home connection).

Comment by jorvi 9 hours ago

Private Internet Access has denied under oath that they have logs to turn over.

There is no reason to think that more reputable activist providers like Mullvad or AirVPN would if a party like PIA already doesn't.

I'd steer clear of NordVPN though. They have lots of controversy in their history and they are very financially motivated, considering the deluge of YouTube sponsorship and ads they pay for each year. Still don't think they would lie about no logs but why risk it.

Comment by Bender 8 hours ago

Private Internet Access has denied under oath that they have logs to turn over.

Did they also testify under oath there is no lawful intercept API or anything similar? That does not require logs. In fact when the feds would set up phone call intercepts on telco switches we would intentionally disable logs and put the mainframes into "test mode". And that is even before people start playing legal word games like calling lawful intercept "debugging" or something else. Lavabit [1] found out what happens if lawful intercept is not available.

Just me personally, I would always assume a service I do not entirely control and operate is doing what it can to comply with lawful intercept requirements and they are likely playing word games to not drive away their members and I would not blame them. I am just the properly paranoid type in part due to a good upbringing by a properly paranoid person.

[1] - https://en.wikipedia.org/wiki/Lavabit

Comment by bloomingeek 5 hours ago

I say you've properly got your eyes open. Anyone who thinks anything you do online is completely private is naive. IF any government wants to know what you've been up to online, nothing can stop them. Privacy is a thing of the past, we should vote only for politicians who say they want the government out of our backyards, banks and bedroom. Oops, too late!

Comment by belorn 9 hours ago

Websites that uses third-party analytics will at minimum send the IP address, time and the url when users access pages. It also very likely they will send API calls if the developers want to track those.

So if any calls looks like "https://example.invalid/api?confirmemail=user@example.invali..." would cause a leak of the email. I have seen multiple companies and websites do this (either with email or username) when signing up or after first login, and I would strongly guess that most of not all of them uses some kind of analytics for that request that leaked data.

Web developers are supposed to scrub their sites so that doesn't happen, but then the main arguments in favor of using third-party analytics is the convenience of enabling it globally with minimum effort and then getting pretty graphs for free. There are occasionally HN posts about self-hosting analytics and the common response is that its too hard and too much work.

Comment by wzm 10 hours ago

https://techcrunch.com/2018/02/05/mixpanel-passwords/

3rd party user tracking can slurp up a lot of unexpected data, and no one ever wants to disclose problems when a vendor loses things like this. MixPanel has a long history of problems/

Comment by tyre 10 hours ago

I don’t love location tracking but their statistics blog posts are usually pretty funny/interesting. And I’m guessing part of this is to work with specific laws. I read that in US states with draconian laws, they’re actively blocking users.

Comment by jfindper 10 hours ago

The thing is, you can do the same statistics without including the user's email address or otherwise directly linking a data point to a specific person.

They may need to retain certain information for laws, but they aren't obligated by law to also share that information with their analytics partners.

Comment by znpy 11 hours ago

>This data includes a PornHub Premium member's email address, activity type, location, video URL, video name, keywords associated with the video, and the time the event occurred.

I had always known, albeit intuitively, that registering to porn websites was a dumb idea.

Time has proved me right.

Comment by dredmorbius 10 hours ago

Time proved you right long ago. See the Ashley Madison breach (2015):

<https://www.wnycstudios.org/podcasts/otm/segments/what-can-w...> (audio and transcript).

Based on Paul Ford's blog entry: "Fairly Random Thoughts on Ashley Madison & the Swiftly Moving Line" <https://medium.com/message/fairly-random-thoughts-on-ashley-...>.

Comment by nephihaha 10 hours ago

I suppose it depends on a) what kind of content and b) your lifestyle otherwise.

Comment by bena 10 hours ago

I mean, no shit.

Getting compromised is more of a matter or time than ability. Someone's going to fuck up at some point.

Comment by darth_avocado 10 hours ago

Why as an engineer, would you log the entirety of a user’s info on mixpanel? I mean come on, how hard is it to have an obfuscated unique id for your users that can’t be traced back to them when logging info in third party apps? What benefit can you possibly get from logging email ids in mixpanel?

Comment by nullorempty 9 hours ago

1. take emails from other breaches 2. make files similar in structure to the ones leaked with junk links 3. flood internet with this junk data 4. problem solved

Comment by aussieguy1234 9 hours ago

Anyone who used their personal or work email to sign up to a site like pornhub should expect that email to be made public one day along with any other data they have on the site, including watch history.

In the case of personal emails, that same email can usually be used to look up the victim on social media (Facebook is an example) to reveal their identity, if, like most people, they used the same email on that social media site.

As most on HN will be aware, data breaches like this are extremely common. Its not a matter of if, its a matter of when. NSFW sites in particular are more juicy targets and often have bad security.

Comment by rgmerk 4 hours ago

You might know that. I might know that. I can assure you that there are lots of people out there who don't realise it.

Comment by userbinator 6 hours ago

work email to sign up to a site like pornhub

Unless you actually work in the adult entertainment industry, that seems like a massively stupid move; one that would likely lead to termination.

Comment by technion 3 hours ago

Honestly...be responsible for mail for at a large enough enterprise and all I can say is you'd be surprised how many people make work emails their only emails.

Comment by NetOpWibby 7 hours ago

My 2021 watch history? Oh no!

Comment by temptemptemp111 11 hours ago

[dead]

Comment by dihsgitt 10 hours ago

[flagged]

Comment by standardUser 9 hours ago

[dead]

Comment by hereme888 6 hours ago

"I know what you did last summer"

Comment by b33j0r 21 minutes ago

0 results. Other users in your area searched for:

* I know who you did last summer

* I know who you did last, Summer

* no fault divorce laws near me

Comment by nusl 12 hours ago

Misleading title; a supplier of theirs was compromised.

Comment by thuridas 11 hours ago

But that transferred very sensitive data to a third party without anonymising the amount.

Just by replacing the email with a random anonymizedAccountId the impact would have been reduced from disaster to who cares. This was bad design from the start.

We may see some interesting news in a few days.

Comment by xp84 10 hours ago

Just mind-bogglingly stupid to send anything about users other than a UserID number/UUID to your web tracking software.

Of course, in a sensitive situation such as that, even IP address can also be problematic, and your 3rd-party tracking software vendor gets that automatically.

If these clowns had hired someone smart instead of just copy-pasting some tracking code and throwing their whole user object at it or whatever, they would have given this some thought.

I'd have used the ability to proxy the MP tracking calls to my own server which most of these services offer but few use. That server would not keep any logs and would perform coarse GEOIP, remove the IP itself or zero the last 2 octets, and relay that information into MixPanel using custom attributes.

Just a quick back-of-napkin sketch, but even that was more thought than they put into it.

Comment by 8cvor6j844qw_d6 11 hours ago

> We may see some interesting news in a few days.

Similar to Ashley Madison data breach, vulnerable to extortion and various shenanigans.

Comment by jimt1234 8 hours ago

I get these spam emails all the time. Some "hacker" has my Pornhub history. They even have video (they "hacked" my laptop camera) of me, uh, enjoying myself. They're gonna leak all of it if I don't send them Bitcoin. I think it's hilarious because I'll provide that data to anyone who asks - no need for "hacking". But I'm 100% confident no one wants that data. LOL

Comment by NetOpWibby 7 hours ago

LMAO!!

Enjoy the free show buddy