An anonymous hentai porn site exposed over a million users’ emails

A popular hentai porn site that promises anonymity to its 1.1 million users left a user database exposed without a password, allowing anyone to identify users by their email addresses.

You might not have heard of Luscious.net unless you’re into hentai and manga porn but it’s one of the most popular websites in the U.S., ranking in the top 5,000 sites in traffic, per Alexa data.

Security researchers discovered the security lapse and provided details of the exposed database exclusively to TechCrunch.

But our efforts to reach the site owner over the past week to get the database secured were unsuccessful. We emailed the site’s administrator — whose email address was found in the very first user record — to disclose the security lapse, but we did not hear back after several follow-ups. We sent the administrator a note through the site’s contact form, through Facebook Messenger, over a LinkedIn contact request, and we sent several text messages based off the site’s historical registration data.

We passed on a message to the site’s web host, which took action to block access to the database, allowing us to publish.

The database contained what appeared to be the site’s entire back-end database, including more than 235,000 albums, 30,000 user blog posts, and 900 videos. The data also contained details of the site’s 19.7 million photos.

The exposed data also included records that connected all of a user’s activity on the site, including their username, blog posts, their followers, and their locations. Those records also contained users’ non-public email addresses. We found that although some accounts signed up with a fake email address, our testing showed that many of the emails were real, allowing us to identify real-world individuals who used the site.

There were no passwords in the database, however.

TechCrunch verified the exposed data by creating an account on the site and searching for the username we had just created in the database. It appeared near-instantly, indicating the database was live updating and was not a static backup file.

The database was exposed since at least August 4, according to data from Shodan, a search engine for exposed devices and databases.

It’s the latest example of an exposed or leaking data — where companies fail to protect their users’ data by protecting their databases with a password or basis security mechanisms. In recent months we’ve seen a cryptocurrency loan site expose credit cards, thousands of exposed medical injury claim reports, and a security lapse at dating app JCrush.