Leaked Database Appears to Hold 1.4 Million Fetish Site Accounts

A database of 1.4 million different accounts has been leaked. The data presumably belongs to fetish website Eroticy. Even after several months of research, Troy Hunt, administrator of HaveIBeenPwned.com and recipient of the database, cannot say this with complete certainty.

The leak contains 1.4 million accounts with usernames, email addresses, payment history, physical addresses, usage history, and plaintext passwords. In the course of 2016, the database file was sent to Troy Hunt with the message that it comes from Eroticy. Hunt has fully mapped out the verification process in a blog post this time, but it ends with the conclusion that the data is most likely genuine, but it cannot be said with certainty that it came from Eroticy.

Eroticy has so-called enumeration protection, which means that it cannot be determined whether an e-mail address is in the database of a website by, for example, filling in the ‘forgotten password’ form with the e-mail address of a suspected account holder. The same applies to the registration form. There has been no response to an attempt to contact the administrators by email.

Hunt did email some e-mail addresses from the database, and most of the users said it was indeed possible that they registered for the website. However, they do not know for sure in all cases. This is not surprising, given that some data is from 2002. In any case, the dataset has been added to HaveIBeenPwned.com and everyone who is registered for that service and also returns to the database has received an email.