vBulletin Flaw Exploited in Dutch Sex-Work Forum Breach

Hackers have stolen the account details of 250,000 users of Dutch sex-work forum Hookers.nl – including email addresses of both escorts and customers.

The website provides a forum for escorts and customers to discuss sex work — including clients discussing their experiences with sex workers. A moderator on the forum said on Thursday that a hacker gained access to personal details through a recently disclosed software vulnerability in an external software supplier of the website, vBulletin, which powers the forum.

The hacker was able to exploit the flaw to access a Hookers.nl user database, which includes the email addresses, usernames, hashed passwords and IP addresses of forum users. In some cases, email addresses and usernames could include users’ full names.

“A data breach has occurred and the email addresses have been stolen from all users,” said the forum moderator. “Please note the passwords. These email addresses have been offered for sale online by hackers. Offering this information for sale is punishable by law and if possible we will take legal action against this or that. In addition, a report has been made to the Dutch Data Protection Authority.”

A news outlet, Dutch Broadcast Foundation, who was in contact with the hacker, viewed the database and confirmed its legitimacy. The outlet reported that the hacker is selling the database for just $300. According to the news outlet, the hacker has not yet sold the data – but expects it will sell.

The vBulletin vulnerability in question (CVE-2019-16759), which allows remote command-execution, was disclosed last week. Though vBulletin has released patches for the flaw, exploit code was released on Sept. 23 – and many websites have not yet updated.

That has been seen through the active exploit of several websites, including a data breach impacting Comodo (as recently announced last week on Comodo’s forum).

The sensitive nature of the content on Hookers.nl could make the data ripe for the blackmail of affected users – both for clients and for the prostitutes actively using the forum, Chris Morales, head of security analytics at Vectra, told Threatpost.

“vBulletin is used for internet forums of every interest, from cooking, cars and to computers,” he said. “Normally an account used on a bulletin board does not contain a huge amount of information on the user, or at least it shouldn’t. I wouldn’t consider a public forum software compromise to be a high-risk issue. I think the nature of this bulletin board, a focus on sex workers, does change that sensitivity. That is quite exposing considering the conversations and that it reveals who the sex workers are.”

The incident is reminiscent of a 2015 breach of Ashley Madison, an adultery hook-up website that resulted in hackers making away with names, emails, home addresses, credit card data and sexual fantasy information of all of its customers.

“Action has been taken as quickly as possible,” according to the forum moderator. “vBulletin has released a software patch that we have implemented after testing to address the leak.”

_What are the top cybersecurity issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free _Threatpost webinar_, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” _Click here to register.