The leak could put all MyFreeCams users at risk of blackmail attempts, credential stuffing attacks, and more.
A database that purportedly belongs to MyFreeCams.com, one of the top adult chat and web streaming communities, is being sold on a popular hacker forum. According to the post author, the data was exfiltrated from the company servers in December 2020 by carrying out an SQL injection attack, and includes 2 million user records of MyFreeCams Premium members, including their usernames, email addresses, MyFreeCams Token (MFC Token) amounts, and passwords in plain text.
The author of the forum post is asking for $1500 in Bitcoin per 10,000 user records and claims that a single batch would net the buyers at least $10,000, which they could make by selling premium accounts with MFC Token (MyFreeCams’ virtual currency) balances on the black market.
We asked MyFreeCams if they could confirm that the leak was genuine, and whether they have alerted their members and models. The company swiftly responded to our requests and immediately notified affected users and reset their passwords.
With that said, it’s unclear how many accounts are in the threat actor’s possession, which means that there is a possibility that all MyFreeCams accounts could have been compromised.
Afraid your online presence was compromised? Check if your data has been leaked.
What’s in the database?
Based on the samples we saw from the database, it appears to contain:
- Usernames
- Email addresses
- Passwords in plain text
- MFC Token balances
Example of leaked data:
Who is the company behind the leak?
MyFreeCams is a live streaming ‘adult cam model’ website that offers explicit content intended only for mature audiences.
Ranked as the 619th most visited website on the Internet based on monthly traffic, it’s one of the world’s largest adult streaming websites boasting nearly 70 million visitors each month. It is predominantly used by amateur webcam models to stream live shows and chat with site members who can purchase virtual MFC Tokens that they can use to tip the models or watch private shows.
Who had access to the data?
The database is available for the entire userbase of the popular hacker forum to download in 10,000-line increments for $1500 worth of Bitcoin.
Based on the forum post author’s Bitcoin wallet balance, they have already received BTC 0.60222754 (which amounts to about $21,600) for what appears to be at least 14 batches of 100,000 users from buyers, with a total of 45 transactions executed at the time of writing.
That being said, it’s unclear how many accounts were exploited by the buyers before the passwords of the affected accounts were reset by MyFreeCams.
What’s the impact of the leak?
The data found in the hacked MyFreeCams database can be used in a variety of ways against the users whose information was exposed, including the following:
- Blackmailing and extorting money from MyFreeCams account owners by threatening to expose their identity and MFC membership to others, including friends and family.
- Stealing the accounts along with their MFC Token balances from the owners and selling them on the black market.
- Committing credential stuffing attacks against the members’ other online accounts.
- Using the data from the database to mount targeted phishing attacks.
- Spamming the victims’ emails.
Fortunately, the stolen MyFreeCams database does not contain any highly sensitive information like credit card numbers or passport IDs. However, even email addresses and plain text passwords can be enough to take over the victims’ other accounts if they use the same login credentials across multiple online services.
Next steps
If you have a MyFreeCams account, immediately change your password and consider using a password manager to create strong, complex passwords.
Even though MyFreeCams reset the passwords of the affected accounts, it’s not certain that the threat actor who is selling the database is not in possession of more compromised MyFreeCams accounts that they have not yet managed to dehash.
If you’ve been using the compromised password for any other online services, make sure to change it there as well. Using a unique password for each online service will prevent threat actors from reusing it for credential stuffing attacks.
