A data broker who allegedly hacked adult chat and web-streaming website MyFreeCams.com has sold nearly 2 million user records on a dark web forum, CyberNews researchers have discovered. According to the seller’s post, the records were exfiltrated from the company’s servers in December 2020 after a SQL injection allowed him to access and view unauthorized data.
The perp claims to have stolen usernames, emails, clear text passwords, and MFC Token balances of 2 million Premium and Diamond members. The threat actor made a pretty penny, based on his cryptocurrency wallet analysis that showed 49 Bitcoin transactions, equating to more than $22,000.
After selling the stolen records, he immediately deleted his account and post from the forum.
News of the breach also reached MyFreeCams.com, which claims the leak data was traced “to a security incident that occurred more than ten years ago in June 2010.”
The company also emphasized that the vulnerability used to exfiltrate user data was fixed shortly after the incident.
Despite these assurances, MyFreeCams has notified impacted members to reset their passwords.
“MFC’s current systems prevent any similar attack,” the company said. ”Until now, MFC did not have evidence that user data was actually compromised as part of the incident. We have informed affected users by email and reset their passwords. No credit card information was stored or compromised.”
Although users can reset their account passwords and avoid account takeover, the exposed details make for efficient blackmail and extortion attempts from other cybercriminals.
The email addresses and clear-text passwords could also be used in credential stuffing attacks, so users are also advised to review any online account that shared the same username/email and password combination.
Stop guessing what the internet knows about you. Find out with Bitdefender’s Digital Identity Protection!