An website for sharing adult content has exposed the details of nearly 1.2 million users on an unsecured Elasticsearch database.

Discovered recently by security researchers at vpnMentor, the site goes by the name of Lucious and shares user-uploaded content, including hentai, or Japanese anime or manga pornography. A mix of a forum and image hosting site along the lines of Imgur complete with commenting and shares, the site is surprisingly popular, with an Alexa global rank of 5,041.

Users on the site had only their usernames exposed to others, but their personal details are gathered when they register and those details were found in the database: usernames, personal email addresses, locations, activity logs, genders and in some cases full names.

In addition, the database also included user activity such as video and image album uploads, likes, comments, userIDs, followers and blog posts, all of which could be linked back to actual real-world identities.

“Some of these blog posts were extremely personal – including depressive or otherwise vulnerable content – and kept anonymous,” the researchers wrote. “Due to this data breach, however, the blog posts are no longer anonymous, with many of the authors’ identities revealed.”

An estimated 20 percent of accounts used throw-away addresses, but the others did not, with users using email addresses that often included their actual names. In some cases, the emails addresses were government-issued as well.

The researchers noted that the data breach could have devastating effects on users given they be could be easily outed as users of a porn site with fetish features. The data also exposes users of the site to hackers and other malicious actors as well, who could potentially use the data to hack or even blackmail users of the site.

“Once a Luscious user’s identity is compromised, they can be targeted for more than just bullying,” the researchers write. “Hackers could threaten to expose users unless they pay a ransom. Given the sensitive nature of this data breach, victims are incredibly vulnerable and likely to pay.”

Although the Lucious data breach is not nearly as big, there is precedent when it comes to sensitive information being used to blackmail people, such as when data was stolen from cheating hookup site Ashley Madison in 2015.

It remains unknown whether the database was accessed by malicious actors, but it has now been secured.

Image: Wikimedia Commons