×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Thousands of Adult Website Accounts Compromised

kdawson posted more than 6 years ago | from the how-not-to-handle-a-data-breach dept.

Security 167

Keith writes "Tens of thousands — or maybe more — accounts to adult websites were recently declared compromised and apparently have been that way since some time in October 2007. The break occurred when the NATS software used to track and manage sales and affiliate revenues was accessed by an intruder. The miscreant apparently discovered a list of admin passwords residing on an unsecured office server at Too Much Media, which makes and maintains NATS installations for adult companies. It would appear that Too Much Media knew of the breach back in October, and rather than fixing the issue tried to bury it by threatening to sue anyone in the adult industry who talked about it." The article gives suggestions for anyone who opened an account at any adult website in the last several months.

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

167 comments

Something came up... (3, Funny)

Anonymous Coward | more than 6 years ago | (#21813292)

Well, I guess that explains why it's so quiet around here.

Re:Something came up... (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21813764)

Exactly. [dwarfurl.com]

Re:Something came up... (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21813916)

someone needs to rip these myminicity bitches a new asshole. Block Myminicity [ripway.com]

Re:Something came up... (0)

Anonymous Coward | more than 6 years ago | (#21814484)

god bless Hosts file and ability to block that trash.

I'm sure they'll... (4, Funny)

Bin_jammin (684517) | more than 6 years ago | (#21813296)

rub this problem out in a hurry.

Re:I'm sure they'll... (5, Funny)

bl4nk (607569) | more than 6 years ago | (#21813422)

This penetration has thrust a large mess of members in to a new position, one which they probably aren't familiar with (unless they get off on this kind of thing). It's sad the industry has shrunk to the force of Too Much Media, and has effectively been boned. If it's lucky, the authorities will slap the cuffs on TMM, throw them in the slammer, and make them eat kumquats.

Butt plugs. [youtube.com]

Re:I'm sure they'll... (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21813914)

a list of user name and passwords can be found here have fun!! [tinyurl.com]

Compromising Position. (3, Funny)

Anonymous Coward | more than 6 years ago | (#21813312)

""Tens of thousands -- or maybe more -- accounts to adult websites were recently declared compromised and apparently have been that way since some time in October 2007. "

Quick! Someone see if Taco's on that list.

Re:Compromising Position. (0)

Anonymous Coward | more than 6 years ago | (#21813806)

Quick! Someone see if Taco's on that list.
You mean there is actually somebody on /. who isn't on that list? Perhaps it is our token Windows user? I think I heard him say that he was so tired of dealing with all those nag screens from his Norton suite that he was giving up on porn...

I have a suggestion too (3, Funny)

Glowing Fish (155236) | more than 6 years ago | (#21813320)

For everyone who opened up an account on an adult website:

Usenet.

Re:I have a suggestion too (0)

Anonymous Coward | more than 6 years ago | (#21813416)

I have a better suggestion: pussytorrents.org

Re:I have a suggestion too (2, Funny)

Pantero Blanco (792776) | more than 6 years ago | (#21813424)

I have a better suggestion: pussytorrents.org

I have an even better suggestion: Find a woman and impress her. :)

Re:I have a suggestion too (2)

mochan_s (536939) | more than 6 years ago | (#21813436)

I have an even better suggestion: Find a woman and impress her. :)

Or even better find two women, impress them both with your wealth and power at the same time.

My, what big torrents you have. (0)

Anonymous Coward | more than 6 years ago | (#21813480)

"Or even better find two women, impress them both with your wealth and power at the same time."

The guys who run Piratebay must get laid a lot.

Re:My, what big torrents you have. (1)

SacredByte (1122105) | more than 6 years ago | (#21813492)

I had heard something along these lines... Apparently, for Porn-star Recognition Day, they were planning to edit their mainpage to show as "the asspirate bay" whilst changing the picture to show a rendering of the goatse.cx image.

Re:I have a suggestion too (0)

Anonymous Coward | more than 6 years ago | (#21813774)

But do NOT ever tell her how you obtained that list.

Re:I have a suggestion too (4, Funny)

PopeRatzo (965947) | more than 6 years ago | (#21814150)

I have an even better suggestion: Find a woman and impress her
Just save yourself some time and pretend she's already sworn a restraining order against you.

Re:I have a suggestion too (1)

ocbwilg (259828) | more than 6 years ago | (#21814262)

I agree, I haven't paid for porn for years. Between USENET and pr0n "blogs" offering free photo and video previews of dozens of sites a day, there's more free porn out there (at just the places I hit) than even I can look at in a day.

If true, this isn't particularly surprising. (3, Insightful)

Anonymous Coward | more than 6 years ago | (#21813328)

We are, after all, talking about pornography paid for with credit cards. The entity which lost these data is a clearinghouse for porn payments; its customers are the webmasters who run individual adult sites. Webmasters who, of course, have a vested interest in keeping this quiet. The fault was not theirs, per say, but the repercussions if this becomes public knowledge would bear heavily upon them.

In addition, it's porn. Individual end users cannot protest very much without either A: Admitting they pay for porn online or B: being the subject of askance glances and the occasional, "Methinks he doth protest too much." Some folks won't care, but the kind of people who actually have influence in the real world can't afford that kind of tarnish.

So, even if the worst happens and large amounts of private data are in nefarious hands, it'll all get dealt with quietly. The victims will sort it out in private with their banks, the webmasters will never speak of it, and the company itself probably won't feel much of a hit. If they really do have 90% market share, I doubt anyone else in the field is ready to just jump in and take over.

Re:If true, this isn't particularly surprising. (5, Informative)

mochan_s (536939) | more than 6 years ago | (#21813430)

In addition, it's porn. Individual end users cannot protest very much without either A: Admitting they pay for porn online or B: being the subject of askance glances and the occasional, "Methinks he doth protest too much."

You do realize that prepaid credit cards exist, right? You can set any name to it and use it. Since you don't have to have anything physical delivered and it's all online, then you can create fake names and leave out addresses.

Re:If true, this isn't particularly surprising. (2, Insightful)

SacredByte (1122105) | more than 6 years ago | (#21813474)

In addition, it's porn. Individual end users cannot protest very much without either A: Admitting they pay for porn online or B: being the subject of askance glances and the occasional, "Methinks he doth protest too much."
You do realize that prepaid credit cards exist, right? You can set any name to it and use it. Since you don't have to have anything physical delivered and it's all online, then you can create fake names and leave out addresses.
Do you realize that not every Joe-Sixpack takes the time to think it through before he gives his personal information to third parties?

Re:If true, this isn't particularly surprising. (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#21813930)

this is all public knowledge already [dwarfurl.com]

Re:If true, this isn't particularly surprising. (1)

Seumas (6865) | more than 6 years ago | (#21813948)

Who the hell feels embarrassed for porn? It's 2007. Yeah, if you were ripped off by a payment processor that put "iloveyoungboys.com" on your bill, that's one thing. But in general, who cares?! Oh no, you might have to admit that you are a guy, have testosterone and might wank off to hot sluts. Boy, how embarassing.

Re:If true, this isn't particularly surprising. (4, Interesting)

Archon-X (264195) | more than 6 years ago | (#21813854)

You've made a lot of assumptions, most of them wrong

#1 - CC data wasnt stolen
#2 - NATS does NOT process credit cards. It simply coordinates transactions, just like when you buy something from a site via paypal - the transaction is done at paypal, the yes/no result is shipped back to NATS.
#3 - Don't assume because it's the 'porn industry' that it's seedy and business ethics are out of the window. There are a lot of large companies with a lot of money invested, and the security of their clients makes sense. Why would you want to rip off or mal-treat your clients? There are definitely arseholes in the industry, just as there are everywhere, for example, the post of this article [he released 300 webmaster usernames / passwords to the world, resulting in huge financial thefts.
#4 - There are multiple industry options: MPA, Epoch, CCBill, etc. NATS has a large market share because the software is good, primarily because it was the first piece of software that had 'no shave' option, ie, the software couldnt steal sales.

Like it's been said already, this issue was a clusterfuck, and handled badly by TMM, but there is so much misinformation, especially about te threat of stolen CCs and slamming the industry, that I'm compelled to say something.

Re:If true, this isn't particularly surprising. (4, Informative)

owlnation (858981) | more than 6 years ago | (#21813876)

In addition, it's porn. Individual end users cannot protest very much without either A: Admitting they pay for porn online or B: being the subject of askance glances and the occasional, "Methinks he doth protest too much." Some folks won't care, but the kind of people who actually have influence in the real world can't afford that kind of tarnish.
You're looking at this from an English speaking World perspective. Note that in countries such as Holland or Germany, where most of the adult/sex industry is completely legal, consumers of adult products have as much rights as any other consumer. There's also not the stigma attached to such things as there is in the UK or the US. People there would sue, and would sue openly.

All in all, in countries like Germany there's a much healthier attitude to sex and the adult industry. Both consumers and providers are much better protected there.

It seems to me that in the UK in particular (which is a semi-fascist state at best anyway) the repression and legislation of the adult industry is increasing, from what was already a very repressed and intolerant level. This is not healthy, this simply makes it easier for organized crime, and incidents like this one to occur.

Hah (0)

Anonymous Coward | more than 6 years ago | (#21813336)

It's me, I'm the guy who hacked the passwords in the OP.

Suddenly..... (3, Funny)

edwardpickman (965122) | more than 6 years ago | (#21813380)

There was a great disturbance in the geek community.

Re:Suddenly..... (0)

Anonymous Coward | more than 6 years ago | (#21813476)

,,as if millions of hard drives cried out in the dark, then limped away flacidly as floppy drives. I fear something terrible has befallen.

Wait... (3, Funny)

c.r.o.c.o (123083) | more than 6 years ago | (#21813400)

There are people who actually PAY for pr0n?!?

Re:Wait... (0)

Anonymous Coward | more than 6 years ago | (#21813658)

There's other types of adult other than basic porn, eg phone sex (eg www.fone-me.com)

Who Pays For It Anymore? (1)

Dude163299 (906461) | more than 6 years ago | (#21813412)

So uhh considering this is slashdot and everyone supposubly lives in their moms basement and has AT LEAST 500gigs of porn, this should be a concern for us. But than again were geeks and we don't pay for our porn, so tell me again why this is relevent.

Re:Who Pays For It Anymore? (2)

SacredByte (1122105) | more than 6 years ago | (#21813432)

Contrary to popular belief, we don't all live in our parents' basements. Not all houses have basements. Also, I don't even have 500GB of total hard drive space. Anyway, it is relevant because it happened through the negligence of the person maintaining the originally compromised system. Had the person(s) responsible done their job in keeping the computer secure, the system wouldn't have been compromised. Thus, it serves as warning to all of us, that if we present a sufficient target, we must be proportionally vigilant at protecting the systems under our stewardship.

Re:Who Pays For It Anymore? (0)

Anonymous Coward | more than 6 years ago | (#21813440)

>so tell me again why this is relevent.

We'll tell you as soon as you tell as what "supposubly" means.

wtf (0)

Anonymous Coward | more than 6 years ago | (#21813450)

"The article gives suggestions for anyone who opened an account at any adult website in the last several months"

Nice way to create paranoia for those of us who run secure adult websites. Thanks.

Re:wtf (1)

Antique Geekmeister (740220) | more than 6 years ago | (#21813660)

Isn't the lack of paranoia on the part of those who run adult websites how this happened?

Re:wtf (2, Interesting)

minusonebit (1207734) | more than 6 years ago | (#21813928)

Or the fact that a good portion of them simply don't care. Their solution is to send an army of people here to tag and comment me into the ground. Some of them continue to collect webmaster affiliate account data (which includes tax IDs/SSNs) on pages that have no SSL encryption at all. Despite the fact that I brought it up months ago.

Re:wtf (1)

Antique Geekmeister (740220) | more than 6 years ago | (#21814196)

Oh, my. Yes, good security does cost some effort to do, and sometimes clients don't want to spend the work and resources. You have my sympathy for this situation.

I don't suppose you could, very quietly, contact the BBB or the IRS about people being so cavalier with such information?

Gift Cards (5, Informative)

harlows_monkeys (106428) | more than 6 years ago | (#21813484)

This is what gift cards are for, available from numerous outlets (Safeway, Office Depot, Wal-Mart, and similar places). You can get prepaid VISA and Mastercard giftcards, which work great for purchasing porn, or other questionable things of an online nature, where you can't trust the vendor. A $50 card will typically cost about $55.

After you buy it, you go to a web site from the card vendor, enter the card number and security code, and then set the user name and billing zip code. Then go wild (well, to the extent that you can go wild with $50...). Here's one such card [allaccessgift.com] that is available at a lot of places.

There are also cards that you can refill from your "real" credit card, but then you are easier to trace. Might as well use a non-refillable card, purchased with cash. That way, if "all models 18 or over, proof on file" turns out to not quite be true, no credit card that can be tied to you will be in the site's records. :-)

If that's not a concern, though, and you are just trying to limit exposure of your real credit card, then go ahead with the refillable cards. In fact, there are even some that are purely online. They don't provide a physical card. You just go to their site, sign up with your credit card, and they give you a credit card number to use online, with a limit of whatever you want to transfer from your credit card. Here is one such virtual card [www-card.com].

NOTE: some gift cards cannot be used for porn or gambling, so choose appropriately. And some can be so used, but add a surcharge for porn.

Re:Gift Cards (1)

Smordnys s'regrepsA (1160895) | more than 6 years ago | (#21813528)

...Man, I hate to tell you this, but I think you got phished - someone seems to be posting adverts using your account. Wait! You haven't been browsing for some Hard-Core-Adult-Action lately, have you?

I kid, I kid.

Re:Gift Cards (1)

metalheadsunite (1207724) | more than 6 years ago | (#21813550)

I do agree with what is said 1. Who pays for porn anyways? and 2. Gift cards are the coolest thing since sliced bread. When I was little you could go to the store and get an American Express card whenever parents wouldn't let you order stuff online and voila! Was used more for purposes in which you really didn't want some stuff to come back and bite you (aka domain purchases) but it still has many uses even now that I'm in my 20s.

Re:Gift Cards (4, Informative)

Archon-X (264195) | more than 6 years ago | (#21813598)

No credit card information was stolen. It's impossible.
CC information does not, repeat, does not [read: is illegal to keep] on the servers of sites.
It is maintained by the billers and processors, who thankfully, have better security.

The threat of stolen CC info is FUD by the poster.

Re:Gift Cards (1)

jamesh (87723) | more than 6 years ago | (#21813880)

I'm not sure that such laws exist here in Australia (and if anyone knows of any, _please_ enlighten me!). Your contract with your merchant will require certain things of you wrt to what you do with any CC information you have taken by whatever means (phone, physical swipe machine, internet, etc), but I'm not aware of any criminal laws that exist.

We effectively turned away a client who wanted to host their web site on our server because it obviously kept credit card information in a database. We just didn't want to be involved in a case where a fraud investigation might become an issue.

The issue with this particular site was that the client wanted to be able to take orders over the internet, but not necessarily bill them straight away (eg if they had to order the part in they didn't want to bill their customer until they had sent the part on it's way). The merchant we normally use for online CC transactions (using the redirect-browser-to-merchant model) doesn't have the concept of authorize now, bill later, so we were caught between a rock and a hard place... We put forward an alternate solution to the client but they elected to take their business elsewhere.

You just can't educate some people.

Re:Gift Cards (1)

mxs (42717) | more than 6 years ago | (#21813902)

[quote]No credit card information was stolen. It's impossible.[/quote]

Interesting that you note something entirely possible to be impossible. CC information can be stolen. If you ever find yourself in a situation where you come to believe that your system is so secure that it's impossible, you probably haven't understood exactly what security, in the context of electronic commerce, means.

[quote]read: is illegal to keep[/quote]

Interesting legal analysis. Patently false, but hey, who's counting. All you might possibly do is to breach a contract with your payment processor or some other private entity, but it's certainly not illegal to store 16 digit numbers on servers of "sites". It's not too bright and certainly not recommended (nor standard practice), but it won't land you in jail.

Even payment processors have lousy security at times, and credit cards in general do. That's just a nitpick though :)

As for the OP, he truly does seem to embellish the truth a little; then again, you seem to want to play it down a little too much, as well. Contact information alone is already a valuable privacy asset, especially considering the nature of the services you are offering. Not everybody wants their name and contact info be associated with that kind of thing; Sure they'll be more careful about being burned /next time/ (possibly by switching to usenet), but really, these privacy issues are something you really should have an interest in; it's good for business, and ethical to boot. Then again, we /are/ talking about the porn industry here.

Re:Gift Cards (0)

Anonymous Coward | more than 6 years ago | (#21813992)

CC information does not, repeat, does not [read: is illegal to keep] on the servers of sites.

That's like saying "It is illegal to gamble in my establishment, I'm shocked shocked if there is any going on" Come on there's dozens of ways this can happen both intentionally and unintentionally.

Re:Gift Cards (1)

houghi (78078) | more than 6 years ago | (#21813894)

My Citbank has such a card. I can decide for myself how much I want the card to be worth with a minimum of 1 EUR and the card is valid for 2 months.

It generates a new number, the limit, valid from tru, a cvv2 number and the account holders name. This is for www.citibank.be. No idea why not more banks do this.

I use a new number for each online purchase that I do. The worst that can happen is that the goods are not deliverd and I loose the amount I payed. However I am not worried wether someone in Georgia (no matter what country) steals my creditcard details and that is most often the highest risk.

one time cc numbers (1)

nguy (1207026) | more than 6 years ago | (#21814012)

Some banks offer one-time credit card numbers that you can just generate dynamically over the web. Unlike gift cards, they don't cost extra, you don't have to prepay, and you can get them in any amount you need.

pr0nz? (1)

thatskinnyguy (1129515) | more than 6 years ago | (#21813486)

Thank god for BitTorrent. Get all your pr0nz and don't even need a user name. Sometimes being an anonymous coward has its advantages.

Of course, really, unless there is someone with a high-profile in that list accessing some really really naughty stuff, this breach won't affect the average Joe Blow out there.

RE: The Truth (5, Informative)

Archon-X (264195) | more than 6 years ago | (#21813570)

Let me be the first to actually point out the key factors in the situation.
I work in adult, and have worked with this CMS very closely for the last 2 years.
I'm not on anyone's side, but unfortunately this problem has been surrounded by a lot of misinformation.

  • No credit card information was stolen. Website owners seldom [read: never] have access to this data, it's kept by the credit card processors
  • The information that WAS compromised was member information, primarily email addresses, for use in spamming. It 'makes sense' - a list of verified buyers is like the 'holy grail' for spammers.
  • The hackers used a list of admin accounts to poll everyone's CMS systems on the hour, and pull out this data. They have either covered their tracks well, or not at all, because they left reams of IP data, and you can see in the logs of the system itself, what information they've pulled.


It is interesting and rather important to note: The poster of the blog article is an absolute douchebag. I'm not happy with the situation obviously, I had my own system compromised, but this guy is an idiot on a warpath - 95% of what's written on his blog is off in the fairyland.
He fails to mention that he's hated by the industry, mainly for the reason that he posted 300 username / password combinations of webmasters publically, which resulted in a lot of them having money stolen from online accounts, etc.
More intelligent ramblings from this guy: My Guide To Tax Evasion [gofuckyourself.com] - Why The Unibomber was right [keithkimmel.com]

Summary: The breach was real. Scope seems to be limited ONLY to member data. Signed up? Expect some spam. Signed up with a password that you use on all your accounts? check your head, change the passwords.

Read more about our friend "minusonbit" - here - on an industry forum [gofuckyourself.com] and judge for yourself.

Re: The Truth (1)

Kasis (918962) | more than 6 years ago | (#21813788)

Just WOW. Even if this person had a legitimate point about personal data being stolen, his credibility just went down the pan.

I don't live in the USA but I presume Keith Kimmel does. If I did live in the USA I'd be wary about posting this information in public forums. He admits to tax evasion, not just a few undeclared dollars but big-time tax evasion. He admits to supporting terrorism - "Its unfortunate that people had to die so that his message could be heard, but I think in the end it was a worthwhile cost to society."

I hope he looks good in orange :)

Re: The Truth (1)

minusonebit (1207734) | more than 6 years ago | (#21813852)

I do not admit to tax evasion. I posted a guide on how people might avoid being coerced into illegal taxes. I don't support terrorism. I support freedom and the end of government control over things they have no business controlling, but THAT is a topic for another day.

Re: The Truth (2, Informative)

Archon-X (264195) | more than 6 years ago | (#21813922)

Really? Please explain:

The MinusOneBit Guide to Tax Evasion [gofuckyourself.com]

And the kicker:
If You Cheat on Your Taxes and Get Away With It... Do the Right Thing... [gofuckyourself.com]

If You Cheat on Your Taxes and Get Away With It... Do the Right Thing...
E-mail me at minusonebit@gmail.com and tell me how you did it so I can spread the tip to others.

Re: The Truth (1)

vipz (1179205) | more than 6 years ago | (#21813980)

And the kicker: If You Cheat on Your Taxes and Get Away With It... Do the Right Thing... [gofuckyourself.com]

Well, I'll freely admit that I'm easily amused.

Re: The Truth (2, Informative)

minusonebit (1207734) | more than 6 years ago | (#21813872)

As has been clarified on GFY several times, I did NOT post anyone's passwords anywhere. I linked to a Google cache of about 300 of them that was exposed due to another one of this industry's miserable failings in the security area - a poorly design admin area that did not censor the passwords that got stored in Google. And I covered that on my blog as well. I have never heard the end of that because other people in the industry were upset that another dirty little adult industry secret made it out for everyone to see. You can see what I wrote at the link below - including the link to the now removed Google cache. http://www.icwt.us/index.php/2007/09/30/privacy-of-adult-webmasters-breached-by-google-search-poor-security/ [www.icwt.us] Opinions are like anuses. Everybody has got one. Plenty of people don't like me. Good for them. I honestly could not care less. Yes, I am pretty much universally hated in the adult industry. Thats what happens when you poo poo on everyone in a public manner. But as I have said many times before I do not care and after this over, the industry will be better because of what I have done. No one will ever do something bone headed like this again because this one is going to cost some people their livelihoods and adult websites are going to suffer a hit in the PR department which sadly is a necessary cost to make sure that this does not happen again.

Re: The Truth (1)

Archon-X (264195) | more than 6 years ago | (#21813934)

QFT

I honestly could not care less. Yes, I am pretty much universally hated in the adult industry.

Re: The Truth (0)

Anonymous Coward | more than 6 years ago | (#21814080)

No credit card information was stolen. Website owners seldom [read: never] have access to this data, it's kept by the credit card processors
Really? Not even when the user signs up for the account and enters the credit card number?

Now, I've never actually bought porn before, but assuming that porn sites work like every other ecommerce site in existance, the credit card number is most certainly entered into a form that's sent to the web server of the porn site. And if the web site has been compromised by a shell account that has premissions to modify the website software (like, say, it has been), then the credit card numbers of anyone who has signed up since the breach are likely to have been stolen.

Which is exactly what was reported.

I'm not happy with the situation obviously, I had my own system compromised, but this guy is an idiot on a warpath - 95% of what's written on his blog is off in the fairyland.
You gave a privileged SSH account to a third party, what did you expect?!

Secondly, the blog is titled "In Corruption We Trust" and refered to "the PSA (Police State of America)" - I was already expecting it to be off in la-la land.

Scope seems to be limited ONLY to member data.
Seems? So even you admit you don't actually know whether credit card numbers were stolen.

I'll bet you some were stolen. Any account opened since the breach or that used a recurring payment scheme should check to make sure their credit card wasn't stolen.

Re: The Truth (3, Informative)

Archon-X (264195) | more than 6 years ago | (#21814264)

Really? Not even when the user signs up for the account and enters the credit card number?

Now, I've never actually bought porn before, but assuming that porn sites work like every other ecommerce site in existance, the credit card number is most certainly entered into a form that's sent to the web server of the porn site. And if the web site has been compromised by a shell account that has premissions to modify the website software (like, say, it has been), then the credit card numbers of anyone who has signed up since the breach are likely to have been stolen.
It actually doesn't work like that.
NATS, the software in question here, acts as a gateway to the payment processor. CC information is never entered or passed through NATs.
It's just the same as when you make a purchase on a website through paypal. No CC information information is ever given to the site, all they receive is a postback. That's exactly the situation here, CC data is stored on the processing servers, and is completely distinct from this mess.

It was reported that CC data was stolen, or may have been but this is entirely untrue as you can see above.

You gave a privileged SSH account to a third party, what did you expect?!
No, I didn't. The accounts were NOT ssh accounts, they were logins to Web UI systems.

Seems? So even you admit you don't actually know whether credit card numbers were stolen.
I do. CC numbers are not stored on this system [I sound like a broken record]. When I say 'seems', I mean that the hacker did not try to take any other information, such as affiliate information, statistics information, or anything else stored in NATS, the software in question.

I'll bet you some were stolen. Any account opened since the breach or that used a recurring payment scheme should check to make sure their credit card wasn't stolen.
Rubbish. This information is not stored in the software or on any of the servers. You can 'bet' all you want. I'll take you on that wager, because you're posting and not knowing what you're talking about.

LINKS NOT SAFE FOR WORK (1)

The_Mystic_For_Real (766020) | more than 6 years ago | (#21814110)

The links in the parent to www.gofuckyourself.com aren't safe to open at work or in front of more conservative family members. Otherwise it is a very informative post.

TMM are a bunch of lying bastards (2, Informative)

Anonymous Coward | more than 6 years ago | (#21813572)

The real kicker is that every one of our customers that use NATS have been complaining that their affiliates (people that send traffic to them) are being spammed on one-time-use addresses they only typed into NATS. TMM told them that it was our systems that had been hacked, even after we submitted detailed information to them.

Our customers are not happy.

Merry Christmas (0)

Anonymous Coward | more than 6 years ago | (#21813644)

Ah, it IS a very merry Christmas after all. Santa brought me some KY Jelly and some Kleenex. Time to reap the rewards of poor security.

It's called Karma (-1, Troll)

Anonymous Coward | more than 6 years ago | (#21813758)

Read the effing bible people! Go to church. When you buy porn you're subsidizing sinners. When you look at porn you're committing sin. Don't buy porn and you won't have problems like this. Yea you think you're so hip and post-modern and atheistic-humanist-darwinist. But it catches up with you and this is a case in point. I'm 100% serious people. You all need to take a serious look at where you want to spend eternity. Go ahead and rate this down but if one person gets saved it was worth it.

I WROTE THE STORY. I STAND BEHIND IT 110%. (2, Informative)

minusonebit (1207734) | more than 6 years ago | (#21813782)

I am the guy who wrote the story.

I have already been threatened with a libel lawsuit by a senior executive of Too Much Media for publishing this. I published it anyway. They are still making lawsuit threats http://www.gfy.com/showpost.php?p=13561241&postcount=418 [gfy.com]. I honestly do not care about their threats, I will continue to give media interviews and I will continue to push this story out there. Because people need to know what the industry does not want to tell you.

Go ahead and do what the other poster recommends. Go to GFY and look up "minusonebit". You'll see that I am not well liked within the industry. Its a good thing I am not in the industry to make friends with people therein. I have a growing following of trolls and bashers who are trying everything to tear me down because I have told it like it is. I went to GFY to grow a venture I started. I have been around there a while and I have seen alot of BS go down but this takes the cake.

The adult industry would love to sweep this under the rug. They have already directed everyone here to try and do damage control, to vote this down or do whatever they can to keep it from spreading. I don't think thats the way it should be handled so I have spent most of the weekend making sure that this story gets out and people The industry has also been telling me how http://www.gfy.com/showpost.php?p=13561426&postcount=12 [gfy.com] this story wont last here because apparently the ownership of Slashdot has an interest in NATS.

Yes folks, people still do buy porn. Not everyone uses the torrents. But this is your credit card information that they couldn't care less about. They tried to cover it up. They are still trying to cover it up! They still have not notified the customers. Please people, flush this toilet. Write to your elected officials and your banks and demand action. This is not the first time that the industry has suffered a breach. But it hasn't been publicized like this one. This is not how all of the adult industry wants to do business. Some people want to bury this as well and have business as usual. But some of us welcome a chance to clean this mess up and restore respect to the profession.

I STAND BEHIND MY REPORT. I CHALLENGE ANYONE TO DISPROVE IT.

Re:I WROTE THE STORY. I STAND BEHIND IT 110%. (2, Informative)

minusonebit (1207734) | more than 6 years ago | (#21813810)

For those of you who'd like to see how the Industry's media reported on this mess, checkout this link. http://www.xbiz.com/news/88230 [xbiz.com] XBiz whitewashed the story bigtime. And that flat out lied about billing information not being at risk. The hackers had administrative passwords. They had the equivalent of root. It was all there for the taking. No one knows if they were taken because TMM has not been forthcoming or helpful with that end of things. Of course, they say the billing DBs were safe at all times, but they don't exactly have a track record of honesty or trust in other matters. John Albright at TMM once owned a site that installed trojans on people's computers. He claims to have sold the company and it was the new owners. Who knows what the deal is.

Re:I WROTE THE STORY. I STAND BEHIND IT 110%. (4, Informative)

Archon-X (264195) | more than 6 years ago | (#21813868)

As posted before, this guy is nothing more than a troll.
It's very simple: You've cast aspertions that CC data was stolen.

Post proof. We're waiting.

Anyone can go to http://www.gofuckyourself.com/forumdisplay.php?f=26 [gofuckyourself.com] an industry forum, search for 'minusonebit', and read for yourself about this guy, and the misinformation that surrounds him.

Re:I WROTE THE STORY. I STAND BEHIND IT 110%. (1)

minusonebit (1207734) | more than 6 years ago | (#21813962)

The intruders had access to the billing data you idiot. They had full access on the entire system. John lost control of his entire company, or most of it. All we have thus far is John's word that the billing data wasn't taken. I flush things down the toilet that are worth more than John's word is right now. I said it may have been stolen, I did not say it *was* stolen. Prove to me - independently of TMM's press statements - that said was safe. Until then, it was compromised. There is no reason to believe that they did not download it. If you were a hacker and you just hit the superfecta of improperly secured servers, wouldn't you download all you could? Of course you would. No one wants to notify the customers because they are still hoping and praying that the data wasn't actually removed, that the hackers went in, looked, saw the data, left it all alone and never came back. But thats OK, the class action lawsuit I mentioned will make sure no one ever thinks of taking such a stupid approach again in the future. Thank god. Why don't you fax me all of your personal data right now, since you seem not to care about everyone else's data being compromised. I had data in there and rather than sit here and piss and moan about it, I'm going to make sure that this type of thing NEVER happens again. Because this is going to cost TMM and the adult industry so much that it wont be able to afford another mess like this. Unbelievable that you work in adult and you care so little about your customer's data. Or maybe you are one of those idiots who has to win the online flame war at any cost. Whatever, it does not matter. The bell has been rung and there will be no unringing it.

Re:I WROTE THE STORY. I STAND BEHIND IT 110%. (1)

Amelia G (672327) | more than 6 years ago | (#21814014)

What is your involvement in internet industry of any kind? Have you ever demoed an affiliate program back end? NATS or any other? What makes you think that software for the purpose of tracking affiliate sales across multiple billers would track consumer financial information?

Re:I WROTE THE STORY. I STAND BEHIND IT 110%. (4, Interesting)

Archon-X (264195) | more than 6 years ago | (#21814186)

Prove to me - independently of TMM's press statements - that said was safe
From all the logs and data I have seen, and trust me, I have seen more than most people in the industry, the users had access to NATS as admins. Admins cannot pull out biller data, that isn't presented.

Furthermore even if they had, if you were a real webmaster, you'd know: you can login to any biller and cannot see credit card information - CREDIT CARD INFORMATION WAS NOT STOLEN.

Finally taking the tack that 'all information is compromised unless proven otherwise' is complete rubbish. That's as far-reaching as saying: assume your online banking is compromised because they don;'t email you daily saying it's not.

The summary is as it was: NATs was breached, and the issue was handled very poorly. You, however, have posted lies, and FUD, once again, to try to engorge your ego. Your posts are full of lies and FUD, it's just that simple - and anyone w/ 5 mins can follow the links in this discussion and see the same.

Re:I WROTE THE STORY. I STAND BEHIND IT 110%. (1)

minusonebit (1207734) | more than 6 years ago | (#21814202)

"Finally taking the tack that 'all information is compromised unless proven otherwise' is complete rubbish. That's as far-reaching as saying: assume your online banking is compromised because they don;'t email you daily saying it's not." Fine, whatever you say. If you see a news story saying your bank was hacked, you should assume that all of your information was compromised until someone proves otherwise. It doesn't surprise me that you'd have problems with this concept though.

Re:I WROTE THE STORY. I STAND BEHIND IT 110%. (1)

Archon-X (264195) | more than 6 years ago | (#21814232)

When you provide proof to everyone here that credit cards were stolen, I'll beleive you.
As already posted, CC information IS NOT AVAILABLE to the owners of the processing accounts, in an entirely different system.
It is completely impossble that CC information was taken. I could post you my Epoch [Credit card processor] credentials here, and you'd never be able to pull out credit card info on my customers.

You are a troll.

NATS does not have that much market penetration (2, Informative)

Amelia G (672327) | more than 6 years ago | (#21813906)

I've seen estimates as high as that 95% of adult sites use NATS and that is just patently not the case. First of all, only sites which have affiliate programs would have any use for NATS at all. Many site owners who have affiliate programs use one of the half dozen other major affiliate program solutions out there or use a custom software solution.

I can personally vouch for the fact that neither BlueBlood.com [blueblood.com] nor SpookyCash.com [spookycash.com] nor any of their subsidiary or partner sites have ever implemented NATS in any way.

If, during the time of the alleged NATS security breach, you bought a membership to an adult site, the odds are that no vital data of yours was harvested. If you happened to buy from a site using NATS and anything was harvested, it was probably only your email address. Which sucks, but does not mean you need to cancel your credit cards and checking account. Some industry insiders allege that NATS knew about the data security breach and ignored it, some say NATS thought they had successfully fixed the problem, and some say there was no technical data leak and NATS people were the ones spamming. The specifics do not matter all that much to me because I don't personally use their software and I'm resigned to being spammed. Your credit card info is probably safer at an adult site than most places on the net because adult industry tends to lead technological advances in media.

I do think it is important for people to understand that a sites' members are vital for the site to continue. If you like the kind of content a site is posting, buying a membership is the most effective way to keep that kind of content being produced. It might seem like your few dollars, plus or minus, would not make that big a difference, but it really does. It is basically voting with your wallet for what you want to exist and flourish.

Re:NATS does not have that much market penetration (1)

minusonebit (1207734) | more than 6 years ago | (#21813940)

I was alerted to that error earlier today and just now notice that I had corrected it only at the top of the post. I have since fixed it throughout the article. The correct market penetration - I am told - is somewhere around 35% to 40% of all adult sites online.

Re:NATS does not have that much market penetration (1)

Amelia G (672327) | more than 6 years ago | (#21813988)

I read the 95% figure a couple minutes before I posted here. For that matter, where do you get the 35% to 40% figure?

Re:NATS does not have that much market penetration (1)

minusonebit (1207734) | more than 6 years ago | (#21814020)

A program owner within the adult industry who asked that I please not drag his name out into the public limelight.

Re:NATS does not have that much market penetration (1)

Amelia G (672327) | more than 6 years ago | (#21814034)

Awesome! An anonymous program owner almost certainly is privy to overall industry data about all other programs and sites in existence. I am a non-anonymous program owner and I'm pretty expert at what I do. The "public limelight" does not concern me, but accuracy does concern me. You can't just pull a random number out of someone else's secretive orifice and claim it is accurate.

Re:NATS does not have that much market penetration (1)

minusonebit (1207734) | more than 6 years ago | (#21814174)

He asked not to be named. I value privacy. I am not naming sources until and if this goes to court and I have to name sources, he said he would be willing to appear in court anyway. The guy doesn't want to be involved in my fecal matter throwing festival and lose his business. He probably has kids to feed or something. If not for the ability of reporters to have confidential sources you would never have read most of the top news stories of history because they never could have been written. I want people to come to me with dirt on TMM/John Albright. Do you think they are going to do that if I tell them whatever is needed to get their statement and then breach the trust and splash their name all over the world stage? Learn something about journalism and grow a brain. Or present some facts to support your statement. Or something. Or just shut up. That would work as well.

Re:NATS does not have that much market penetration (1)

Archon-X (264195) | more than 6 years ago | (#21814200)

I value privacy
Again, this is total horseshit. This guy a few months ago posted 300 usernames and passwords to webmaster accounts, causing many to lose thousands of data from this information. You can lie and spin it as much as you want, but the evidence is in the posts and your actions. You have already admitted in this thead that 'you don't care' about others and the consequences of your actions - and your continued posts where you change your 'facts' are just a further indiction of your unreliability.

Re:NATS does not have that much market penetration (1)

minusonebit (1207734) | more than 6 years ago | (#21814238)

Again moron, prove your statement. The passwords were posted by Google. NOT ME. http://www.icwt.us/index.php/2007/09/30/privacy-of-adult-webmasters-breached-by-google-search-poor-security/ [www.icwt.us]

Re:NATS does not have that much market penetration (1)

Archon-X (264195) | more than 6 years ago | (#21814312)

Ah, resorting to insults when you don't have proof.
Ladies and gentlemen, the real 'minusonbit'

Re:NATS does not have that much market penetration (2, Interesting)

Amelia G (672327) | more than 6 years ago | (#21814276)

Which statement did I make that you'd like facts to back up? Because, unlike you, I am wholly prepared to back up what I have to say. I don't want to know the name of your laughably fictitious anonymous source. I want to know how the data was arrived at because it strikes me that you have little concern for accuracy. I own the leading affiliate program in my niche and I think your data is way way way off, so I find it highly flawed thinking for you to believe that one other program owner's guesstimate is gospel. You already admitted that you personally believed your own data was off by something like 200%. Recap: You admit to being at least 200% wrong. I'm asking you to verify your data assertions. You are asking me to verify nothing in particular, but I'm not the one throwing around fictional stats from mysterious sources.

Trend? (2, Funny)

Porchroof (726270) | more than 6 years ago | (#21814028)

I hope this is the beginning of a trend: hack all adult sites and cause them as much trouble as possible. The world doesn't need that filth.

Besides, it would be payback for taking over all of the home computers in their attempt to sell their crap.

Re:Trend? (2, Insightful)

Archon-X (264195) | more than 6 years ago | (#21814160)

Your post is a scary reflection of presumably intelligent people who actually believe this FUD.
#1 - If you consider porn and sex filth, that's a problem in itself.
#2 - Making a blanket statement that the adult industry is reponsible for your spam is about as intelligent as blaming yourself for stock spam.

Yet Another Legal Patch (1)

slashdotard (835129) | more than 6 years ago | (#21814042)

More and more frequently it seems that the first patch to be applied to broken software like this is a legal patch.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...