DataBreaches.Net

Menu
  • About
  • Breach Notification Laws
  • Privacy Policy
  • Transparency Report
Menu

Digital Playground becomes hackers’ playground (update 1)

Posted on March 5, 2012 by Dissent

The Digital Playground porn site has reportedly been hacked. Big time.  The site that advertises “Porn worth paying for” may find itself paying dearly for a security breach that may have exposed over 72,000 customers’ details and over 44,000 credit card numbers.

In what they claim as their first release, a group calling themselves The Consortium (@Th3Consortium on Twitter) described the hack:

You see for a while now we have had access to digitalplayground.com, one of the five biggest porn sites in the world.
But it doesn’t need any introduction from us.

This company has security, that if we didn’t know it was a real business, we would have thought to be a joke – a joke that we found much more amusing than they will.

“This site has so many freaking holes that if I didn’t know it was a porn site, I would have mistaken it for a honeypot” – [Redacted]

We did not set out to destroy them but they made it too enticing to resist. So now our humble crew leave lulz and mayhem in our path.
We not only have the 72k users of this site but also over 40k plaintext credit cards including ccvs, names and expiry dates.
If you want to hear more about those plaintext credit cards scroll through the MySql info further down. And of course as this is a porn site
there was no shortage of .mil and .gov emails in their user list.

We also went on and rooted four of their servers, as well as gaining access to their mail boxes. Using credentials from emails
we tapped into their conference call. “Is anyone besides David on the line ?” – We were. Did we win? Sure looks that way.

Digital Playground game over.

Thankfully for the 72,794 users whose usernames, e-mail addresses and plaintext passwords were reportedly acquired, the hackers did not dump all of the data they claim to have acquired, but if they are possession of the data, that alone is  cause for concern. They posted a smattering of the personally identifiable information they acquired:

  • 27 admins’ names, usernames, e-mail addresses, and encrypted passwords
  • 28 admins’ names, usernames, e-mail addresses, and encrypted passwords (some overlap with previous table)
  • 85 affiliates’ usernames, plaintext passwords, and in some cases, IP addresses
  • 100 users’ e-mail addresses, usernames (same as e-mail addresses) and plaintext passwords, and
  • 82 .gov and .mil e-mail addresses with corresponding plaintext passwords

They did not dump the 44,663 credit card numbers that they claim to have acquired, but note that card numbers, card expiration date, cvv and all customer billing address and contact info were in plain text. They provided two redacted versions of named customers as proof of that.

Clearly, if their claims are true (and I have no reason to disbelieve based on what they posted), this is bad. Really bad. So much personal information stored in clear text? Seriously? From Digital Playground’s Privacy Policy:

1. Information Security

Digital Playground, Inc. is dedicated to the protection of Site users’ information. To prevent unauthorized access to information provided to us, the Company uses a number of generally accepted industry standard procedures designed to effectively safeguard the confidentiality of your personal information. These procedures include secure server location, controlled access to data and equipment, robust redundant firewall software, network monitoring, adaptive analysis of network traffic to track and prevent attempted network intrusions and other network abuse and appropriate employee training in the area of data security. We shall continue to take reasonable steps to provide effective data protection at all times, however, because no security technology can provide invulnerability to information compromise, the Company cannot, and does not, guarantee the security of any information that you transmit to us or to any third party affiliated with the Site.

Apparently their dedication doesn’t extend to encrypting customer data or PCI DSS compliance.

At the time of this posting, DP’s  homepage returns an error message.  They have not yet responded to an inquiry I sent them this morning about the claimed hack.

h/t, Dump Centa

Update:  The web site is back up with no notice and I’ve received no response to my inquiry yet.  Interestingly, Digital Playground is operated by Manwin – the same firm that operates the Brazzers and  YouPorn web sites that were recently in the news when they were hacked. According to Manwin’s statement in the previous reports, this site appears to have had less security than Brazzers, as in that case, user passwords were reportedly encrypted and credit card data were not compromised.

Category: Breach IncidentsBusiness SectorHackOf NoteU.S.

Post navigation

← New York Court Finds Clinic Not Liable for Employee's Disclosure of PHI
2700+ Saudi based Accounts leaked →

Now more than ever

"Stand with Ukraine:" above raised hands. The illustration is in blue and yellow, the colors of Ukraine's flag.

Search

Browse by Categories

Recent Posts

  • Ransomware group Gunra claims to have exfiltrated 450 million patient records from American Hospital Dubai.
  • North Shore University Sleep Disorders Center employee charged with secretly recording patients in restrooms
  • When ransomware listings create confusion as to who the victim was
  • Rajkot civic body’s GIS website hit by cyber attack, over 400 GB data feared stolen
  • Taiwan’s BitoPro hit by NT$345 million cryptocurrency hack
  • Texas gastroenterology and surgical practice victim of ransomware attack
  • Romanian Citizen Pleads Guilty to ‘Swatting’ Numerous Members of Congress, Churches, and Former U.S. President
  • North Dakota Enacts Financial Data Security and Data Breach Notification Requirements
  • Pro-Ukraine hacker group Black Owl poses ‘major threat’ to Russia, Kaspersky says
  • Vanta bug exposed customers’ data to other customers

No, You Can’t Buy a Post or an Interview

This site does not accept sponsored posts or link-back arrangements. Inquiries about either are ignored.

And despite what some trolls may try to claim: DataBreaches has never accepted even one dime to interview or report on anyone. Nor will DataBreaches ever pay anyone for data or to interview them.

Want to Get Our RSS Feed?

Grab it here:

https://databreaches.net/feed/

RSS Recent Posts on PogoWasRight.org

  • Florida ban on kids using social media likely unconstitutional, judge rules
  • State Data Minimization Laws Spark Compliance Uncertainty
  • Supreme Court Agrees to Clarify Emergency Situations Where Police Don’t Need Warrant
  • Stewart Baker vs. Orin Kerr on “The Digital Fourth Amendment”
  • Fears Grow Over ICE’s Reach Into Schools
  • Resource: HoganLovells Asia-Pacific Data, Privacy and Cybersecurity Guide 2025
  • She Got an Abortion. So A Texas Cop Used 83,000 Cameras to Track Her Down.

Have a News Tip?

Email: Tips[at]DataBreaches.net

Signal: +1 516-776-7756

Contact Me

Email: info[at]databreaches.net

Mastodon: Infosec.Exchange/@PogoWasRight

Signal: +1 516-776-7756

DMCA Concern: dmca[at]databreaches.net
© 2009 – 2025 DataBreaches.net and DataBreaches LLC. All rights reserved.