author photo
By Bruce Sussman
Fri | Oct 11, 2019 | 9:04 AM PDT

The Dutch Broadcast Foundation just completed an investigation and discovered that a hacker stole data from 250,000 user accounts at the website Hookers.nl.

Being a hooker or sex worker in the Netherlands is legal, and so is paying for sex.

Now, however, the world is about to find out exactly who has been buying sex and who has been selling it, plus what people are saying about it in the site's discussion forums.

And this is part of a security vulnerability you'll want to check for on your own website. More on that in a minute.

Hooker database hacked: what was taken?

Stolen information from the site includes usernames, IP addresses, and hashed passwords, and the most revealing thing of all: readable email addresses that in many cases contain the person's name.

How was the stolen sex database discovered?

NOS, the Dutch Broadcast Foundation, received an anonymous tip that a hacker was trying to sell 250,000 stolen records from Hookers.nl.

Then came some intriguing investigative work, according to NOS:

"We contacted the seller of the database, presented ourselves as an interested buyer and asked for a sneak preview. We received it: the seller sent us the details of a thousand members. We have not paid the seller.

We subsequently verified whether it actually concerned users of Hookers.nl. We have used the 'forgotten password' function of Hookers.nl. By entering e-mail addresses and clicking on 'forgot password', it was possible to check whether an e-mail address exists in the database.

We have done this with five randomly chosen e-mail addresses. Although this gives a user an e-mail in his inbox with the message that someone has attempted to restore his or her password, we still found this to be an appropriate way to check whether e-mail addresses from the dataset were actually on Hookers.nl. It was necessary to exclude that it was about different dates.

We also checked with Google searches whether behind individual accounts on Hookers.nl are existing people. All information collected by us will be deleted after publication."

After confronting Hookers.nl with this information, the site confirmed the data breach.

Hooker site hack: 'I am not the devil'

NOS also communicated with the hacker for publication.

He does not feel guilty towards the affected forum members. 

"It only concerns fewer than three hundred thousand users," he says. "Tens of thousands of websites are hacked every day. I am not the devil. It is not a question of whether your website is hacked, but when."

Taking a "when not if" sentiment resonates with security leaders we've spoken with at our SecureWorld conferences

Which web vulnerability did the hooker hacker exploit?

Users of the sex site must now wait to see if they'll be revealed and publicly embarrassed—or extorted to keep their secret accounts and activities a secret.

But what's important for most readers is to check for a particular web application on your site.

The hacker exploited a security hole in online forum software vBulletin. This is an exploit in use right now. Hackers recently used a vBulletin exploit against cybersecurity vendor Comodo.

vBulletin isn't providing too many details, but it has released a patch for recent versions; find it here.

"A security issue has been reported to the vBulletin team. To fix this issue, we have created a new security patch. We have made patches available for the following versions of vBulletin Connect:

5.5.4 Patch Level 1
5.5.3 Patch Level 1
5.5.2 Patch Level 1

If you are using a version of vBulletin 5 Connect prior to 5.5.2, it is imperative that you upgrade as soon as possible to protect your content."

Patch management is an ongoing struggle which never ends. However, perhaps someday it will. Cybersecurity thought leader Bruce Schneier told us that the patching process is near the end of its useful life.

Listen to what he has to say on our cybersecurity podcast, The SecureWorld Sessions:

Comments