Dutch website Hookers.nl has been compromised due to a vulnerability exposing the account details of all 250,000 users.
The hacker was able to exploit a vulnerability within the website’s vBulletin forum software, to access the internal database of Hookers.nl, a popular website utilised by sex workers and their clients.
Reports have emerged suggesting that the malicious hacker is selling the data in a marketplace on the dark web, however no sales have been completed as of yet.
Email addresses, usernames, IP addresses and passwords of sex workers and their clients were amongst the personal details exposed.
Dutch news broadcaster NOS, viewed a sample of the data, and discovered that the passwords were encrypted however many of the email addresses included the actual names of the users, therefore identifying users would not be difficult.
The malicious hacker told NOS: “Tens of thousands of websites are hacked every day. I’m not the devil. It’s not a question of whether your website is hacked, but when.”
The vulnerability was identified by security researchers in late September, to which soon later vBulletin produced a patch, however by then several sites had been breached.
Tom Lobermann, media spokesman for Hookers.nl, stressed that the company was “not happy” about the attack. He added that the breach put users and clients at risk of their data being stolen and sold.
Those who have an account with Hookers.nl have been informed about the breach and have been advised to change their passwords.
Ilia Kolochenko, CEO of cybersecurity company ImmuniWeb told Verdict: “Compared to some notorious breaches that have occurred in the last 12 months involving billions of compromised records, this data breach may seem comparatively insignificant.
“However, in terms of reputational damage it’s apt to inflict upon the victims, the impact may be unprecedentedly disastrous.”
This breach is similar to the 2015 Ashley Madison breach, a website targeted at married individuals looking to cheat on their partners. User data had been compromised and leaked on the dark web. The breach was said to be connected to many suicides.
“This time, the harm may be even more voluminous, diverse and long-lasting,” Kolochenko said.
“Sadly, many victims will likely be reluctant to file a lawsuit or criminal complaint being embarrassed by the nature of the incident.”