The vpnMentor cybersecurity research team, led by Noam Rotem and Ran Locar, have uncovered a leaking S3 Bucket with 19.95GB of visible data on a Virginia-based Amazon server, belonging to PussyCash and its network.
PussyCash is an explicit ‘cam’ affiliate network that owns the brand ImLive and other similar adult-oriented websites. This leak has exposed the personal data and likeness of over 4,000 models among more than 875,000 files and has high-risk, real life implications for said models.
PussyCash Company Profile
The owner of ImLive and PussyCash is officially listed as I.M.L. SLU, a company registered in Andorra.
PussyCash hosts affiliation programs for multiple adult sites, paying webmasters for traffic sent to the sites through banners and exit traffic. They boast 66 million registered members on their webcam chat arena, ImLive, alone. Other sites include Sexier.com, FetishGalaxy, Supermen.com, Shemale.com, CamsCreative.center, forgetvanilla.com, idesires.com, Phonemates.com, SuperTrip.com, and sex.sex, among others.
Partners listed on the PussyCash website include BeNaughty, Xtube, and Pornhub.
Timeline of Discovery and Owner Reaction
Sometimes, the extent of a data breach and the owner of the data are obvious, and the issue quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what’s at stake or who’s leaking the data.
Understanding a breach and what’s at stake takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.
Some affected parties deny the facts, disregarding our research or playing down its impact. So, we need to be thorough and make sure everything we find is correct and true.
In this case, the initial discovery led us to believe that the leak was limited only to a few records on an ImLive bucket alone. However, we eventually found files indicating that PussyCash is ultimately the owner of the leaking Amazon Simple Storage Service (S3) bucket.
Date discovered: January 3, 2020
Date company (PussyCash & ImLive) notified: January 4, 2020
Data Amazon notified: January 7, 2020
Date of reply from ImLive: January 7, 2020
Date of action: January 9, 2020
PussyCash never replied to any of our attempts to contact them regarding the data leak, including their Data Protection Officer. ImLive finally responded to one of our emails, stating that they would take care of it and pass on the information to the PussyCash tech team.
As PussyCash doesn’t hire talent through their main website, it is plausible to assume that their leaking data is from one or more of their other websites, such as ImLive. This is an assumption that we cannot prove without digging further into the data leak. We also saw records specifically mentioning ImLive, which is why we have chosen to use that as an example for portions of this report, and not necessarily the other PussyCash brands and sites. However, it is worth noting that the Bucket itself is named after PussyCash.
Examples of Entries in the Database
Data Impacted
There are at least 875,000 keys, which represent different file types, including videos, marketing materials, photographs, clips and screenshots of video chats, and zip files. Within each zip folder – and there is apparently one zip folder per model – there are often multiple additional files (e.g. photographs and scans of documents), and many additional items that we chose not to investigate.
The folders included could be up to 15-20 years old, but are also as recent as the last few weeks. Even for older files, given the nature of the data, it is still relevant and of equal impact as newly added files.
Photographs and scans of full passports and national identification cards, including visible:
- Full name
- Birth date
- Birthplace
- Citizenship status
- Nationality
- Passport/ID number
- Passport issue & expiration dates
- Nationally registered gender
- ID photo
- Personal signature
- Parent’s full names
- Fingerprints
- Additional country-specific details (e.g. emergency contact information for UK citizens)
Model release and Chinese passport
Brazilian ID card with fingerprint
Photographs and scans of Driver’s Licenses, including visible:
- Driver’s License number
- Photo
- Date of birth
- Height/weight
- Registered gender
- Full address
- Signature
- Type of vehicle the individual is permitted to operate
- Additional PII, varying by country (such as organ donor status and visual impediments for US citizens)
California (USA) Driver’s Licenses, including organ donor status
US Uniformed Services Identification card:
- Branch of service (e.g. Army)
- Military rank
- Color coding (denotes the holder’s current status: retired, active, privileged, dependent of military servicemen)
- Full name
Photographs and scans of Credit Cards, including visible:
- Full credit card number
- Expiration date
- Cardholder name
Texas Driver’s License; Chase Bank-issued Visa Card
Model release forms, including:
- Full legal name
- Professional aliases
- Signature
- Date of birth
- Address
- Phone number
- Passport/ID number
- Photographer’s name and address
- Witness name and address
- Body measurements (height, weight, hips, bust, waist)
- Details of piercings, tattoos, and scars
- Rates
Model release form indicating body measurements
Model indicating body piercings, including places to mark scars and tattoos
Social Security numbers and card scans:
Social Security (USA) card
Photograph of model holding identification cards (often two forms):
Czech model holds two forms of identification
Marriage certificates:
- Full name
- Spouse’s full name
- Occupation
- Age
- Parents’ names
- Date of marriage
- Place of marriage
Birth certificate scans:
- Full birth name
- Birth gender
- Date of birth
- Place of birth
- Nationality
- Parent’s names
Birth certificate of a British citizen
Handwritten bios, including:
- Sexual preferences (ie attractions, fantasies, methods)
- Hopes and dreams
- Current occupation
- Favorites, from music to food to hobbies
Handwritten biography page of a South American model
Countries Affected
These are the countries that we found, but we did not open each file and it is possible that there are more nationalities affected by the leak.
- Africa
- Asia
- China
- Israel
- Kazakhstan
- Kyrgyzstan
- Thailand
- Australia
- Europe
- Bulgaria
- Czech Republic
- Denmark
- France
- Germany
- Great Britain (incl. Wales)
- Italy
- Netherlands
- Poland
- Russia
- Serbia
- Slovakia
- Switzerland
- Ukraine
- North America
- Latin America
ImLive.com proclaims that they “take great care in implementing and maintaining the security of the Services and your information” and “have put in place appropriate physical and technological safeguards to help prevent unauthorized access, to maintain data security, and to use correctly the information we collect online. These safeguards vary based on the sensitivity of the information that we collect and store.”
In the “Hosts Data Privacy Notice,” ImLive includes an admittedly unexhaustive list of the data they will “collect, process, and store” during the contractual relationship with the models, which is as follows:
- PERSONAL INFORMATION: including legal name and contact information (full name, home address, phone number), date of birth, government identification numbers (driver’s license), citizenship/residency, personal status, photos and other data collection permitted or required by local law;
- ADDITIONAL IDENTIFICATION INFORMATION: including any name (other than the Host’s legal name) ever used by the Host, including the Host’s maiden name, alias, nickname, stage name, or professional name; a legible hard copy or legible digitally scanned or other electronic copy of a hard copy of the identification document examined and, if that document does not contain a recent and recognizable picture of the Host, a legible hard copy of a Picture Identification Card (as this term is defined below); a copy of the depiction (including live cams or advertising) and, where the depiction is published on an Internet computer site or service, a copy of any URL associated with the depiction. If no URL is associated with the depiction, the records shall include another uniquely identifying reference associated with the location of the depiction on the Internet; and for any Host in a depiction performed live on the Internet, a copy of the depiction with running-time sufficient to identify the performer in the depiction and to associate the performer with the records needed to confirm his or her age.
- PICTURE IDENTIFICATION CARD: including a document issued by either: (a) the United States, a US State government, or a political subdivision thereof, or a United States territory, that bears the photograph, the name of the individual identified, and the date of birth of the Host, and provides specific information sufficient for the issuing authority to confirm its validity, such as a passport, permanent resident card (commonly known as a “Green Card”), or employment authorization document issued by the United States, a driver’s license or other form of identification issued by a State or the District of Columbia; or (b) a foreign government-issued equivalent of any of the documents listed above when the person who is the subject of the picture identification card is a non-U.S. citizen located outside the United States at the time of original production and the producer maintaining the required records, whether a U.S. citizen or non-U.S. citizen, is located outside the United States on the original production date. The picture identification card must be valid as of the original production date.
- PAYMENT INFORMATION: including bank information, garnishments and deductions, and other related information.
- PERFORMANCE AND TALENT INFORMATION: including qualifications, evaluations, developmental planning, security policy permissions, communication data and other talent management and team based assessments.
- APPLICATIONS/RECORDS: In addition, the Company collects and maintains different types of personal information, including the personal information contained in medical history questionnaires and evaluations.
The cybersecurity procedures ImLive.com states that they have implemented for their hosts’/models’ data include:
- Secure network topology, which includes intrusion prevention and Firewall systems;
- Encrypted communication;
- Authentication and Access Control;
- External and Internal audit tests; etc.
In their Host’s Data Privacy Notice, they also write that to ensure “the safety of our users’ information, and prevent unauthorized use of any such information the Company employs industry standard practices and procedures such as compliance checks to ensure the policy is being adhered, data protection impact assessments, internal audits of processing activities etc.
However, they “make no warranty, express, implied or otherwise,” that they will prevent or be responsible for unauthorized access to the personal data they have collected.
Data Breach Impact
This leak represents a potentially severe threat to those whose data has been exposed. It has many implications, all of which could very well ruin the lives of the models/actors involved.
Identity theft
Within nearly each zip file that our researchers discovered was everything necessary for a criminal to easily assume the identity of another. This is also information that we regularly see being sold on the dark web, often at very attractive prices. With someone’s national identity number, a scan of their photo ID, their full address, credit card number, and even their parents’ or spouse’s name, you have the full identity theft package at your fingertips.
Scams
Using the likeness of high-profile adult actors and actresses, both unethical companies and scammers can con innocent individuals out of their hard-earned money. It’s also plausible that the images and videos of any of these models could be used for catfishing on dating apps/sites to commit fraud on those platforms.
Whether it’s by fraudulently using their image to promote a product or service, or even by impersonating the model and requesting money from personal connections, the threat of a scam looms with this sort of data at the fingertips of criminals.
Public humiliation and impact on personal life/relationships
For many individuals who make the choice to be on camera in a pornographic nature, it is their circumstances rather than their blatant desire to flaunt their nude image that leads them to such a decision. This means that in the vast majority of cases – as indicated by stage names and anonymity clauses in some contracts – that the model could potentially be devastated by being exposed to their loved ones, causing them irreparable embarrassment and distress.
Many files we found are 10-20 years old, and it might be that since engaging in webcam model work, the individuals have moved on to build professional and personal lives outside of the adult industry. For those who have tried hard to forget and hide the past, their family, friends, and colleagues may not know about this, and it can put their current relationships in great jeopardy.
Blackmail and extortion
Authorities career criminals, and individuals who hold personal grudges could all easily blackmail or extort the models by threatening to expose them, either publicly, professionally, personally, or any combination thereof.
Stalking by fans
For some, live adult webcams provide an important outlet; for a few, they can become obsessed with a particular cam model and have a strong desire to meet them. There are those that would potentially follow through with this, thereby stalking the model, if they had enough information about them (such as real name, address, phone number, etc.).
Stalking is a gateway to a number of additional threats, including harassment, rape, kidnap, and even homicide.
Job loss and professional embarrassment
Upon discovery of a ‘side hustle’ or past full-time engagement in the adult industry, it is extremely plausible that this would pose a negative impact on the models. Threatening their jobs and professional reputation.
Exposing LGBTQ individuals
There is grave danger to LGBTQ models who’d be exposed. Around the world, there are about 70 countries where homosexuality is still criminalized – for example, up to 21 years imprisonment in Kenya. In many others, same-sex relations are seen as taboo and repugnant by a significant percentage of the population.
Many gay males and trans individuals are harassed by police, extorted, and blackmailed for bribes and sexual favors in exchange for freedom/security. Those who don’t comply are frequently charged with trumped-up charges and sometimes raped instead. Because of this leak, their address is clearly made available – along with other PII – that puts them directly at risk.
Legal repercussions (depending on location)
Pornography laws can vary greatly by region. Approximately 30 countries ban internet porn entirely and nearly 80 ban the sale or distribution of porn. Penalties for violating these bans include various amounts of fines and jail time. Some more traditional societies are a given here, but there are also a few countries where it’s surprising that anti-porn laws still exist (such as Australia).
Breach of contract
By exposing a model’s real name and details – and also connecting it with their stage name – it is possible that the company and even talent agencies are in breach of contract.
Human rights and dignity
There is much that could be discussed in the way of human rights and human dignity in the adult industry. Is it reasonable to consider that it is belittling of models/hosts/actors from developing nations to require that they take pics of themselves next to two forms of identification? It’s also worth noting that much of the PII was not redacted by agencies, who apparently provided/transferred at least some of these documents and photos to PussyCash and/or its affiliated websites.
Many of the models live in or come from countries that are at more of an economical disadvantage. Their socioeconomic status may be, at least in part, a motive in choosing a traditionally taboo occupation.
Finally, we can give thought to the inherent psychological impact a data leak in this particular industry might carry. What might the reaction of the models whose personally identifying information, documents, photos, and videos be? It is important to note that we produce these reports of our findings for the sake of bringing awareness to the importance of safeguarding your own data, and for companies to take seriously the implications of cyber and information security threats. We cannot recommend enough that if you are in a circumstance where you need to virtually confirm your identity, that you redact as much information as possible before sending photos or scans of official documents.
Advice from the Experts
PussyCash could have easily avoided this leak if they had taken some basic security measures to protect the S3 Bucket. These include, but are not limited to:
- Secure your servers.
- Implement proper access rules.
- Never leave a system that doesn’t require authentication open to the internet.
Any company can replicate the same steps, no matter its size. For a more in-depth guide on how to protect your business, check out our guide to securing your website and online database from hackers.
How and Why We Discovered the Breach
The vpnMentor research team discovered the breach in Pussycash’s database as part of a huge web mapping project. Our researchers use port scanning to examine particular IP blocks and test open holes in systems for weaknesses. They examine each hole for data being leaked.
When they find a data breach, they use expert techniques to verify the database’s identity. We then alert the company to the breach. If possible, we will also alert those affected by the breach.
We were able to access Pussycash’s S3 bucket because it was completely unsecured and unencrypted. Using a web browser, the team could access all files hosted on the database.
The purpose of this web mapping project is to help make the internet safer for all users. As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security.
However, these ethics also mean we also carry a responsibility to the public. This is especially true when the companies data breach contains such a huge amount of private and sensitive information.
About Us and Previous Reports
vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.
In the past, we’ve discovered a breach in LightInTheBox that compromised the data of its customers. We also recently revealed that a company owned by major hotel chain AccorHotels exposed over 1TB of guests’ data. You may also want to read our VPN Leak Report and Data Privacy Stats Report.
Company Comment: In a comment to Calcalist, PussyCash said (translated from Hebrew), “We give great importance to privacy, so that’s why we acted as quickly as possible and removed an open folder as soon as vpnMentor, the state-of-the-art technology research and safety auditors, turned our attention to it. This is a 2013 folder that includes external promotional material for the company of professional actors and actresses appearing in films and pictures, not within the corporate websites. Films purchased from specialized companies for many factors. The files confirm that these are actors over the age of 18. The use of these old materials was for marketing purposes and was intended to promote various sites.
“It is important to emphasize that this is not private information about service providers, exhibitors and/or other company customers and the imlive.com website. The said folder was blocked immediately from outside access, and in addition, guidelines for the various departments and current audits regarding information storage were sharpened.”