A Spanish brothel chain running “men’s clubs” in Barcelona and Valencia has left a database exposed online without a password, leaking troves of sensitive information such as details for thousands of escort girls, customer reviews, and the club’s very own financial details.
The leaky server, found by Bob Diachenko of Security Discovery, is your typical case of a MongoDB database left connected to the internet without a password for the admin account.
Diachenko, a well-known researchers who helps companies secure exposed servers, stumbled upon the database over the weekend on August 4.
While it is unclear for how long the database was exposed online, the MongoDB server was taken down on the same day Diachenko reached out to the company.
In an interview about the exposed servers, Diachenko has asked ZDNet not to name the company behind these men’s clubs, a request to which ZDNet has agreed.
This company, which describes itself as an investment and holdings firm on its website, runs three men’s clubs in Spain, two in the city of Barcelona, and one in Valencia.
According to Spanish law, prostitution is legal in Spain, but not in an organized manner such as brothel houses, which are still considered illegal — although authorities seem to tolerate the practice.
The exposed data
According to Diachenko, the leaky server exposed the details of 3,350 escort girls who worked or are still working in the three aforementioned men’s clubs.
These details included the girls’ real names, dates of birth, age, nationality, and body details — such as height, weight, chest size, and if the girl had natural breasts or had breast enlargement surgery.
Scans of the escort girls’ IDs were also uploaded and found in the MongoDB server, as can be seen below.
The database also contained private descriptions made about each escort girl.
These descriptions appear to have been created by the company’s staff, and included details such as “girl is missing,”http://www.zdnet.com/”has gone back to Venezuela,”http://www.zdnet.com/”thin with a spectacular silhouette,”http://www.zdnet.com/”Columbian, has curves, not that pretty,” and others.
In addition, the database also contained user reviews for some escort girls. These turned out to be comments that customers had left on the three men’s clubs’ public websites.
While public comments made on a public website may not be a “privacy leak,” the leaky server was also exposing the commenters’ email address and IP addresses, as can be seen from the screenshot below.
Exposed data is ripe blackmail material
But while the brothel chain replied to Diachenko and secured its DB on the same day the researcher reached out, even thanking him, they weren’t too happy to hear from ZDNet.
The company didn’t reply to a request for comment sent via email, and we were told to “f*** off” during a very short phone call.
It is unclear for how long the company had left its server exposed online, and if others had gained access to it.
The data the brothel chain had exposed is the ideal type of information that can be used to blackmail both the company’s customers and the escort girls, even if the girls stopped working at the clubs years ago.
In today’s society, prostitution, despite being one of the oldest profession around, still carries a stigma. People associated with this way of life can be criticized or suffer reputational, emotional, or physical harm just by being remotely linked to it.
This is the reason why Diachenko didn’t want to name the company behind these men’s clubs, as revealing their name may bring unwanted attention to its systems, with hackers going after its data, hoping the company messes up its database access control settings again in the future.
“My only goal is to focus not on the nature of the exposed data but the cyber hygiene in general and again highlight the importance of keeping sensitive data secured – especially those that might be easily manipulated if/when exposed,” Diachenko said today in his own report on the leaky brothel house’s server.
More data breach coverage: