Hack shows government and military employees used their email addresses on hardcore fetish site

Originally reported by BBC News, data on more than 100,000 accounts was stolen from a forum called The Rosebutt Board dedicated to sexual fetishes (obviously the site is NSFW if you’re tempted to look it up). Security expert Troy Hunt, who runs the Have I Been Pwned? site unearthed the news on the data after he was alerted by a user.

The hacked data includes usernames, email addresses, IP addresses, and hashed passwords, though the hashing used on the passwords has been called fairly poor.

Despite the explicit and sensitive nature of the website, it appears that some government staffers actually used their official email addresses to register. There are “multiple .gov and .mil email addresses in the Rosebutt breach,” according to Hunt. Hacks and data breaches are always bad but this one could leave some users particularly red-faced.

Much like the Ashley Madison hack, the site carries info on sexual preferences and fetishes. While people on the site could sort of mask their identity with usernames, the leak of email addresses and IP addresses mean they could technically be identified.

“This is a forum where you would think people would want to stay private, but people were using traceable emails or even corporate emails,” said Hunt.

He explained that the forum was likely breached by exploiting a very simple and common SQL vulnerability in the site. The site had also been using antiquated software like the MD5 algorithm for scrambling the passwords, which has been considered outdated for quite some time.

If you have an account on the forum, it would be advised to change your password and also check Have I Been Pwned? to see if your email address is among the affected lot. Hunt added that users should take more care to hide their identities and cover their tracks when accessing such private material.