A popular sexting website has exposed thousands of photo IDs belonging to models and sex workers who earn commissions from the site.
SextPanther, an Arizona-based adult site, stored more than 11,000 identity documents on an exposed Amazon Web Services (AWS) storage bucket, including passports, driver’s licenses and Social Security numbers, without a password. The company says on its website that it uses these documents to verify the ages of models with whom users communicate.
Most of the exposed identity documents contain personal information, such as names, home addresses, dates of birth, biometrics and their photos.
Although most of the data came from models in the U.S., some of the documents were supplied by workers in Canada, India and the United Kingdom.
The site allows models and sex workers to earn money by exchanging with paying users text messages, photos and videos, including explicit and nude content. The exposed storage bucket also contained more than 100,000 photos and videos sent and received by the workers.
It was not immediately clear who owned the storage bucket. Inventiva asked U.K.-based penetration testing company Fidus Information Security, which has experience in discovering and identifying exposed data, to help.
Researchers at Fidus quickly found evidence suggesting the exposed data could belong to SextPanther.
An hour after we alerted the site’s operator, Alexander Guizzetti, to the exposed data, the storage bucket was pulled offline.
“We have passed this on to our security and legal teams to investigate further. We take accusations like this very seriously,” Guizzetti said in an email, who did not explicitly confirm the bucket belonged to his company.
Using information from identity documents matched against public records, we contacted several models whose information was exposed by the security lapse.
“I’m sure I sent it to them,” said one model, referring to her driver’s license, which was exposed. (We agreed to withhold her name given the sensitivity of the data.) We passed along a photo of her license found in the exposed bucket. She confirmed it was her license, but said that the information on her license is no longer current.
“I truly feel awful for others whom have signed up with their legit information,” she said.
The security lapse comes a week after researchers found a similar cache of highly sensitive personal information of sex workers on adult webcam streaming site, PussyCash.
More than 850,000 documents were insecurely stored in another unprotected storage bucket.