Dutch Website Hack Reveals Data Of 250000 Sex Workers’ Clients

By   ISBuzz Team
Writer , Information Security Buzz | Oct 11, 2019 03:16 am PST

The account details of the 250 thousand users of Dutch website Hookers.nl have leaked out after a vulnerability on the website was exploited. A hacker captured the members’ data and is offering it for sale, NOS reports based on its own research after an anonymous tip. The website is popular among clients of sex workers, who exchange tips, reviews and experiences in the sex industry.


Notify of
4 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Javvad Malik
Javvad Malik , Security Awareness Advocate
October 13, 2019 5:49 am

The vBulletin vulnerability is a reminder that timely patching for public-facing and publicly-exploitable vulnerabilities should always be a top priority for organisations. With so many external-facing systems made up of different components, this can be a difficult task, which is why it\’s important to have an up-to-date and reliable asset inventory to make sure the right priority is assigned to newly discovered vulnerabilities.

It\’s also important for providers of software to give clear advice to customers, especially smaller businesses which may not have the awareness of vulnerabilities or the importance of patching them quickly.

Last edited 4 years ago by Javvad Malik
David Emm
David Emm , Principal Security Researcher
October 13, 2019 5:46 am

If people want to use legal services of this nature, they have the right to do so, and they have the right to rest assured their data is stored safely. The personal nature of this website means the people using it would not want their information public, so this data Is especially sensitive and could lead victims of the breach open to extortion and blackmail. Two years ago there was a similar breach with the website Ashley Madison whereof the advertised 37 million members, only about 12,000 active accounts belonged to real women.

Websites like Hookers.nl hold an awful lot of valuable data – and there could have serious consequences if this information is managed or stored incorrectly. The website operators of Hookers.nl had a responsibility to protect customer data, and they fell short of this. We would advise consumers to carefully review their security and privacy settings, and exercise their own vigilance to help protect themselves.

Last edited 4 years ago by David Emm
Jake Moore
Jake Moore , Global Cyber Security Advisor
October 13, 2019 5:43 am

Criminal hackers love to target data that is considered shameful to some because it has the most impact if it were to be released. Therefore, it has a higher monetary value for the same amount of work as another hack. Consequences have been dreadful from similar attacks on websites, such as Ashley Maddison, in the past, so it is essential for those affected to know they need to change their passwords and/or email addresses used. There will no doubt be further attacks targeting those email addresses threatening to release information whether they have it or not. If such emails are seen, I would suggest you do not respond and report to the police any sort of extortion.

The importance of cybersecurity can clearly be seen here and it highlights that you don’t need to use the same email address for all sites but, most importantly, and like with any breach, it highlights never to use the same password again for any other account.

Last edited 4 years ago by Jake Moore
Ilia Kolochenko
Ilia Kolochenko , Founder and CEO
October 11, 2019 11:18 am

Compared to some notorious breaches that have occurred in the last 12 months involving billions of compromised records, this data breach may seem comparatively insignificant. However, in terms of reputational damage it’s apt to inflict upon the victims, the impact may be unprecedentedly disastrous. We all remember reports of numerous suicides and countless family dramas when Ashley Madison was hacked in 2015. This time, the harm may be even more voluminous, diverse and long-lasting. Sadly, many victims will likely be reluctant to file a lawsuit or criminal complaint being embarrassed by the nature of the incident.

Unscrupulous cybercriminals will start blackmailing the victims and their families very soon. Likely, most of the campaigns will be a substandard scam, offering ”removal“ of victims’ names for a payment in Bitcoin. Of course, nothing will be ever removed, worse those victims who pay will probably be approached again and again for new ”removals”.

Professional cyber mercenaries may deploy smarter tactics, for example, asking employees of large organizations and IT vendors to share confidential data or access codes menacing to expose their secrets to management and colleagues.

Importantly, in many jurisdictions, victims cannot be fired or reprimanded for their personal life that does not involve their employer. Victims should not negotiate with the extortionists and immediately report them to law enforcement and internal security departments if appropriate.

Last edited 4 years ago by Ilia Kolochenko

Recent Posts

Would love your thoughts, please comment.x