Forgot your password?
typodupeerror

Massive Porn Buyer Info Leak 251

Posted by Zonk
from the get-off-the-internet-this-is-a-sign dept.
Anonymous Guy wrote to mention a Wired article that covers the release of information for millions of customers onto the Internet. From the article: "The stolen data, examined by Wired News, includes names, phone numbers, addresses, e-mail addresses and internet IP addresses. Other fields in the compromised databases appear to be logins and passwords, credit-card types and purchase amounts, but credit-card numbers are not included. The breach has broad privacy implications for the victims. Until it was brought low by legal and financial difficulties, iBill was a top credit-card processor for adult entertainment websites."
This discussion has been archived. No new comments can be posted.

Massive Porn Buyer Info Leak

Comments Filter:
  • by Anonymous Coward on Thursday March 09, 2006 @04:10PM (#14885148)
    What kind of moron buys porn? Hello? IT'S FREE ON TEH INTARWEBS, and especially on Usenet. There are people who literally get off on making and distributing porn of all varieties at no cost. They want you to watch.

    Unless your idea of hotness is overproduced Playboy-style photography with a combination of four different skin textures, three different lighting rigs, and sixteeen different gauze filters, you can get what you want on Usenet without risking your credit history.
  • Re:Weakest Link (Score:5, Informative)

    by frostyboy (221222) <benoc@a l u m . m it.edu> on Thursday March 09, 2006 @04:13PM (#14885166) Homepage

    Dude, RTFA. They didn't get the credit card numbers. Only personal information like name, phone number, address, email. Not that that's not a big deal, but this isn't a CC number security issue.

    Of course, this isn't made clear until way at the end of the article: "Because the information didn't include Social Security, credit-card or driver's-license numbers, no U.S. laws require iBill or the companies for which they provided billing to warn victims."

  • Re:Weakest Link (Score:5, Informative)

    by Alex P Keaton in da (882660) on Thursday March 09, 2006 @04:13PM (#14885170) Homepage
    Um, anytime I buy something "questionable" or from a questionable source, I use a one time credit card number. I know MBNA has this. You set a dollar amount for the number, as well an expiry date. It is great for sites with auto renewing subscriptions. I use them all the time for 3 day 1.99 trials. I set the card limit at 2.50, use the number, and then forget about it. When they try and charge me, they get nothing but an expired card.
    My understanding is that most identity theft is still done the old fashion way- with garbage diving etc. When I was in college, I bartended. I could have easily written down every credit card number that was handed to me....
    But clearly this is more of a privacy issue. Even if nothing is stolen from me, I would prefer that my name not be associated with porn purchases. But then again, who am I kidding, everyone that meets me just assumes I am into porn. I guess it is my vibe.
  • You forgot (Score:3, Informative)

    by WindBourne (631190) on Thursday March 09, 2006 @04:23PM (#14885251) Journal
    grep -i "senator\|representative\|congress\|whitehouse" iBill.dat. There are sure to be plenty there.
  • by kalidasa (577403) on Thursday March 09, 2006 @04:42PM (#14885409) Journal
    I know, I had a little scuffle with them last week because I couldn't change my CC# on my Washington Post Online subscription. So not all the names are pr0n buyers.
  • by Anonymous Coward on Thursday March 09, 2006 @04:44PM (#14885432)
    Uh... isn't Maxim [maximonline.com] basically soft porn?

    Maxim would be mild erotica. When the pussy makes it's appearance is where soft porn begins. Even then I would classify that as mild erotica.
  • by XMilkProject (935232) on Thursday March 09, 2006 @04:44PM (#14885435) Homepage
    You can actually download this 214mb list of information here:
    http://5sec.us/Ibill_1m.txt [5sec.us]
    I don't know why you'd want it, maybe you can use the passwords or something. But there it is anyway.
  • by Psykosys (667390) on Thursday March 09, 2006 @04:46PM (#14885449)
    that an estimated 25% of the transactions weren't for porn. Unless the customer information is associated with the purchase information (it sounded to me like the account axx infomation was in separate, unlinked records), the leak has much fewer social implications than commenters here seem to be implying.

    Livejournal, for example, was offering payment through iBill [livejournal.com] during the time covered by the leak (run that link through Archive.org if you care to verify, /. filters the part following the asterisk).

  • by sstamps (39313) on Thursday March 09, 2006 @05:39PM (#14885974) Homepage
    I was a subscriber to the MMORPG Horizons, which used to use iBill as their payment processor (they use iPay now; not much of a difference, really). I used new mail accounts I set up specifically for the game, and all of a sudden, about a month ago, I started getting tons of spam on them.

    I figured my email addresses had been sold by one of those sleazebag payment processors. Turns out they aren't evil, they're just STUPID.
  • Re:Oh crap... (Score:5, Informative)

    by BenEnglishAtHome (449670) on Thursday March 09, 2006 @05:40PM (#14885982)

    They didn't do credit card processing for midget-granny-and-horse-porn.com did they?

    No, but they did do credit card processing for sites featuring under-18 models doing "non-nude" work. Within the past couple of weeks, a group of those sites got busted and the FBI has announced intentions to prosecute them for selling child porn even though the models were clothed. (It seems the clothes were too small and/or the poses too racy.) Note that I don't know if any of the recently busted sites were using iBill and the point may already be moot since iBill has been defunct or close to it for a while.

    However, according to TFA

    The stolen data, examined by Wired News, includes names, phone numbers, addresses, e-mail addresses and internet IP addresses. Other fields in the compromised databases appear to be logins and passwords, credit-card types and purchase amounts, but credit-card numbers are not included.

    I have to figure if logins and passwords are there, then the websites accessible via those logins might also be in the data. If so, I imagine that at this moment a whole bunch of guys are pretty worried.

  • by daverabbitz (468967) on Thursday March 09, 2006 @05:58PM (#14886169) Homepage
    That's all very well and good, until you remember that most people still have dynamic IP addresses, even on cable/dsl.
  • Darn that name (Score:3, Informative)

    by phorm (591458) on Thursday March 09, 2006 @06:35PM (#14886501) Journal
    As an admin at my previous job, I often searched SF.net and freshmeat for open-source/free solutions. At one point, our ISP's caching filter decided to regularly boink the freshmeat site, which resulted in the site autobanning one of the upstream routers.

    It was a really fun thing trying to explain to the ISP person why they should put in an caching exemption for a site called "freshmeat", and what the actual content of said site was.
  • Re:Weakest Link (Score:3, Informative)

    by monkeydo (173558) on Thursday March 09, 2006 @07:06PM (#14886792) Homepage
    In the US, the merchant and the issuer incur all of the liability for stolen card numbers. As long as the card holder reports unauthorized charges to the issuer within a reasonable time of becoming aware of it, his liability is zero. Credit card fraud costs the issuers abotu $10 Billion annually. Sure, they'd like to reduce that number, but they know that ever dollar of fraud they prevent costs them $/x. When they reach a point of diminishing returns, there will still be some fraud.
  • by Afty0r (263037) on Thursday March 09, 2006 @07:37PM (#14887033) Homepage
    It is a 214MB file on a fairly weak host. By posting the URL to Slashdot the parent has almost certainly gauranteed that FEWER people will get the file in coming days than if he had not acted as such.

    To link from Slashdot to a file nearly a quarter of a gig large is surely meant in jest? :)
  • by MacDork (560499) on Thursday March 09, 2006 @10:12PM (#14887982) Journal
    According to this Wired article, [wired.com] the iBill data is fake:
    But Spaniak says iBill cross referenced the 17 million transaction database against its own on Wednesday, and that only three e-mail addresses matched between the two.

    and

    Wired News found that entries from the smaller cache of one million consumers are listed as mortgage leads on a spammer community site, specialham.com. A Google search turns up scores of offers on specialham.com for purported iBill databases, one of them advertising "20mill ibill list w/Full data from 2003" for $300. But in one message, a spammer slams an underground vendor for selling him a fake iBill list.
  • Re:Oh crap... (Score:1, Informative)

    by Anonymous Coward on Thursday March 09, 2006 @11:44PM (#14888402)
    Here's some relief [wired.com] for those people. Wired have another article up which suggests the database has nothing to do with iBill and that it's just someone renaming it to make the data seem more valuable.

    It does strike me as odd though if it has records dating back to 1998, I wouldn't think spammers and scammers would have a database dating that far back. And of course iBill could just be lying to save face...

If you think nobody cares if you're alive, try missing a couple of car payments. -- Earl Wilson

Working...