User Data Stolen From Pornographic Web Sites
Hackers Apparently Were After E-Mail Addresses for Spam, Not Credit Card Information

By Keith B. Richburg
Washington Post Staff Writer
Friday, January 4, 2008

NEW YORK -- Consumers of Internet pornography who secretly signed up for memberships on adult-oriented Web sites in the past few months may be in for a shock -- some of their personal information, including e-mail addresses, may have been compromised by a security breach.

Though the breach, which potentially could affect tens of thousands of customers, reportedly did not involve the theft of credit card information, it could nonetheless have a significant impact on the lucrative Internet pornography industry, according to those who monitor the market. These observers note that online porn relies, as much as anything else, on the promise that its customers can enjoy complete anonymity as they indulge their favorite niche pastimes from the privacy of their own computers.

"It's a huge concern," said Jason Tucker, whose Falcon Foto company boasts one of the world's largest erotic libraries. "The relationship we have with our customers is based on trust. The industry's concern is if that trust has been violated, we could see a drop-off in customers."

A New Jersey company called Too Much Media, which supplies the software tracking system used by hundreds of adult sites, has reported that a list of its clients' user names and passwords was stolen. The company said no credit card information has been stolen.

"From what we have determined so far, whoever has done this was only seeking to harvest e-mail addresses for spam," said John Albright, the owner of Too Much Media, responding to e-mailed questions.

Albright said his company's software "is really an accounting package which handles the statistics and tracking for reseller programs. It does not process the transactions itself." Some pornography customers have already been reporting that their e-mail boxes are getting hit with pornographic spam attacks.

The breach was first reported on the blog In Corruption We Trust, by Keith Kimmel, who has two adult Web sites and uses the software. Kimmel claimed that "tens of thousands" of users' personal data may have been accessed. Albright, however, said it was hard to determine how many people are affected.

The breach has raised serious alarm in the world of adult-oriented Web sites, with many concerned about the effect on customers if they learn that their most secret transactions are not so secret after all.

"It's supposed to be a hush-hush transaction," said Chad Belville, a Phoenix-based lawyer who represents many adult industry clients, and is involved in an unrelated court case against Too Much Media. "There's already a hesitation to use your credit card online, and even more hesitation on a porn site, and this is going to make sales more difficult."

Internet security breaches have become increasingly common as security software races to keep pace, said Linda Foley, who runs the Identity Theft Resource Center.

Too Much Media supplies an administrative software program called NATS, for Next-Generation Administration and Tracking Software. The site lists scores of clients, including Porn Kings, Pornstar Dollars and Sex Stuff Sells. Many of these are affiliate sites that provide links to other smaller porn purveyors.

Albright said he first became aware of the breach in October and notified those clients he thought were affected. "As soon as it became apparent that the leak was not plugged and the issue was more widespread than we believed, we notified everyone," Albright said.

On Dec. 23, Too Much Media posted a warning on its Web site saying, "We have become aware of a security issue involving administrative passwords we maintain for support of our clients." The company said it was instituting new security features.

Too Much Media has been criticized on the online porn industry's discussion forums for waiting to put out the announcement. On one adult trade site, AVN Media Network, several clients claim that the NATS system may have been breached for as long as a year.

Albright said his company e-mailed all of its clients as soon as he learned the extent of the breach and posted the Dec. 23 notice when he learned some did not receive the e-mail.

But that explanation wasn't flying among some in the adult entertainment world. If the system had been compromised since October, Tucker said, "that's a long time to have a hole there."

Customers may also be more reluctant to report a problem when the issue involved is online pornography. "Would you really want someone out there to know you surf porn sites, and the hardcore bondage stuff?" said Kimmel. "The guy out there buying a membership for his own personal pleasure has no clue."

View all comments that have been posted about this article.

© 2008 The Washington Post Company