Account details of hundreds of thousands of users of porn website xHamster have appeared online and are reportedly being sold on the digital underground. Motherboard reports that they obtained a database of almost 380,000 xHamster users' login credentials, including usernames, email addresses and poorly-hashed passwords from breach notification website LeakBase, which the publication confirmed to be legitimate.
After selecting 50 email addresses at random and attempting to create new xHamster accounts with them, the publication received a message saying each email address was already being used. All of the related usernames except one were also taken, Motherboard found.
The publication also reported that the database seemed to include about 40 email addresses belonging to the US Army and an additional 30 email addresses related to different government bodies in the UK, US and other countries.
LeakBase told Motherboard that the leaked data was being traded on the digital underground around the same time that a hacker discovered a vulnerability in the adult entertainment company's website earlier in 2016. However, it is still unclear how the database was obtained and leaked online.
An xHamster spokesperson insisted that its users are still safe online and their data is secure since all its passwords are encrypted.
"The passwords of all xHamster users are properly encrypted, so it is almost impossible to hack them," an xHamster spokesperson told Motherboard. "Thus, all the passwords are safe and the users' data secured."
However, Motherboard said the company used the outdated Md5 hashing algorithm to safeguard its users passwords.
"MD5 hashes are trivial and easy to crack," a LeakBase spokesperson told TechCrunch. "The fact they think the hashes are secure is a blatant example of the faulty security placed in companies even to this day."
IBTimes UK has reached out to xHamster for comment.
Earlier this month, adult dating and entertainment company FriendFinder Networks was reportedly hacked in a huge data breach that exposed the private details of 412 million accounts and user credentials accumulated over two decades.
The attack was believed to have occurred in October and exposed sensitive user data including email addresses, passwords, IP addresses, browser information and other data from various FriendFinder Networks' adult-oriented websites.