Leaked Database Appears to Hold Data from 1.4 Million Fetish Site Accounts

A database of 1.4 million different accounts has been leaked. The data presumably belongs to fetish website Eroticy. Even after several months of research, Troy Hunt, administrator of HaveIBeenPwned.com and recipient of the database, cannot say this with complete certainty.

The leak contains 1.4 million accounts with usernames, email addresses, payment history, physical addresses, usage history, and plaintext passwords. In the course of 2016, the database file was sent to Troy Hunt with the message that it comes from Eroticy. Hunt has fully mapped out the verification process in a blog post this time, but it ends with the conclusion that while the data is most likely genuine, it cannot be said with certainty that it came from Eroticy.

Eroticy has so-called enumeration protection, which means that it cannot be determined whether an e-mail address is in the database of a website by, for example, filling in the ‘forgotten password’ form with the e-mail address of a suspected account holder. The same applies to the registration form. Attempts to contact the administrators by email have not been responded to.

Hunt did email a few email addresses from the database, and most of the users said it was indeed possible that they registered for the website. However, they do not know for sure in all cases. This is not surprising, since some of the data is from 2002. In any case, the dataset has been added to HaveIBeenPwned.com and everyone who is registered for that service and also returns to the database has received an email.