Sex workers' clients exposed by Dutch hack attack
- Published
Account details of more than 250,000 people who used a site for sex workers in the Netherlands have been stolen in a hack attack.
Email addresses, user names and encrypted passwords were stolen from a site called Hookers.nl.
The attacker is believed to have exploited a bug in its chat room software found last month.
Reports suggest the malicious hacker who took the data has offered it for sale on a dark web marketplace.
Potential blackmail
Hookers.nl was "not happy" about the attack, its media spokesman Tom Lobermann told Dutch broadcaster NOS.
Mr Lobermann said sex workers who used the site and the clients who visited them could be put at risk if their data were to be stolen and sold. He said the site had informed everyone who had an account about the breach.
The message sent by the site's administrators also advised people to change their passwords.
NOS technology editor Joost Schellevis, who had seen a selection of data from the files being offered for sale, said identifying site users via their email addresses would not be difficult.
Mr Schellevis contacted the suspected thief who said he felt no guilt over the attack.
The accused told NOS: "I am not the devil. It is not a question of whether your website is hacked, but when."
The hacker added that several people were interested in buying the data.
Hookers.nl used a popular program for hosting online forums and discussions called vBulletin. In late September, security researchers identified a vulnerability in the program that could be exploited to steal data.
VBulletin quickly produced a patch for the bug but several sites were breached before they could deploy and install the protection.
Prash Somaiya, technical program manager at HackerOne, said attacking a site like Hookers.nl was a "double win" for cyber-criminals because they could sell the data and potentially blackmail users.
He added: "Other opportunist criminals seeing the news may also use it to attempt to phish any possible users by posing as the original attacker to blackmail anyone who falls for their scam."
- Published28 March 2019
- Published16 January 2018
- Published19 September 2019