Digital Playground.com Hacked Credit Card Data Stolen.

[mikesouth]

From http://www.mikesouth.com

Digital Playground.com Hacked Credit Card Data Stolen.
By MikeSouth
March 6th, 2012

From esecurityplanet.com

Digital Playground Porn Site Hacked

More than 72,000 customers' user names, e-mail addresses and passwords were exposed.
March 06, 2012

The porn site Digital Playground was recently hacked by The Consortium, exposing 72,794 customers' user names, e-mail addresses and passwords, as well as more than 44,000 credit card numbers.

"They did not dump the 44,663 credit card numbers that they claim to have acquired, but note that card numbers, card expiration date, cvv and all customer billing address and contact info were in plain text,"DataBreaches.net reports.

"They provided two redacted versions of named customers as proof of that," the article states.

Go to "Digital Playground becomes hackers? playground" to read the details.



As a result of this Peggy was immediately terminated today and all DP sites are now offline. This is the third big data breach of a Manwin owned website in the last month. The first was Pornhub, a free tubesite, then brazzers forum. This one is MUCH more dangerous because credit card info was compromised.

If you have ever joined a Digital Playground owned site you should immediately call your credit card company and request a new account number and card.

[mikesouth]

You see for a while now we have had access to digitalplayground.com, one of the five biggest porn sites in the world.
But it doesn?t need any introduction from us.

This company has security, that if we didn?t know it was a real business, we would have thought to be a joke ? a joke that we found much more amusing than they will.

?This site has so many freaking holes that if I didn?t know it was a porn site, I would have mistaken it for a honeypot? ? [Redacted]

We did not set out to destroy them but they made it too enticing to resist. So now our humble crew leave lulz and mayhem in our path.
We not only have the 72k users of this site but also over 40k plaintext credit cards including ccvs, names and expiry dates.
If you want to hear more about those plaintext credit cards scroll through the MySql info further down. And of course as this is a porn site
there was no shortage of .mil and .gov emails in their user list.

We also went on and rooted four of their servers, as well as gaining access to their mail boxes. Using credentials from emails
we tapped into their conference call. ?Is anyone besides David on the line ?? ? We were. Did we win? Sure looks that way.

Digital Playground game over.

[alias]

Wondered why their shit was down earlier, thanks for the info.

[GFED]

why is credit card information in plain text?

[signupdamnit]

Maybe it's a ploy to provide a defense if they ever get hauled in Megaupload style?

"Judge, we didn't upload that video the hackers did!"

[paffg]

not great news for the industry

[LiveDose]

Damn that's not good.

[AsianDivaGirlsWebDude]

Does Peggy = Peggy Mac?

Never heard of the group behind this...

Should be possible to track them:

https://twitter.com/#!/Th3Consortium

Quote:

They posted a smattering of the personally identifiable information they acquired:
27 admins? names, usernames, e-mail addresses, and encrypted passwords
28 admins? names, usernames, e-mail addresses, and encrypted passwords (some overlap with previous table)
85 affiliates? usernames, plaintext passwords, and in some cases, IP addresses
100 users? e-mail addresses, usernames (same as e-mail addresses) and plaintext passwords, and
82 .gov and .mil e-mail addresses with corresponding plaintext passwords

Could have serious repercussions for the entire industry.

ADG

[CYF]

Quote:

Originally Posted by GFED

why is credit card information in plain text?

no shit

[Nurgle]

sounds like a fun day for them

[The Ghost]

5th largest porn site ... 72k usernames ... numbers don't add up.

[alias]

Almost as bad as if Media Revenue had purchased it instead of Manwin.

[BSleazy]

Sounds serious.

[martinsc]

[xNetworx]

[venus]

why is credit card info stored on the server in the first place, this was a requirement from visa/mastercard when sites had to be tested awhile back for compliance. Anyone storing credit card info on their servers is wrong. They give us all a bad name and will run off future customers because they cannot trust adult sites. They were totally wrong for storing CC info and I am sure visa will have issue with them.

Quote:

Originally Posted by GFED

why is credit card information in plain text?

[venus]

ignore the nnumbers they really mean nothing if your trying to figure out how many members they have, you dont know if it was a back up file, if they merged password files with their other sites...same with the CC info, you dont know how many were long expired and how many were active... and calling them the 5th largest site, no one knows if that accurate..you guys get to caught up in the numbers, you need to know the structure to know the real deal.

Quote:

Originally Posted by The Ghost

5th largest porn site ... 72k usernames ... numbers don't add up.

[alias]

Looks like just another wicked Manwin social promotion.

[The Ghost]

Quote:

Originally Posted by venus

ignore the nnumbers they really mean nothing if your trying to figure out how many members they have, you dont know if it was a back up file, if they merged password files with their other sites...same with the CC info, you dont know how many were long expired and how many were active... and calling them the 5th largest site, no one knows if that accurate..you guys get to caught up in the numbers, you need to know the structure to know the real deal.

Good to see you posting again Venus

[drysky]

And you wonder why conversions are down..

Code:

#From: david                                 								     		     #
#To: [email protected], [email protected], [email protected]                                    #
#Date: 02/19/2009 05:42 PM                                                                                                   #
#Subject: NATS & CC Bill                                                                                                     #
#Guys,                                                                                                                       #
#                                                                                                                            #
#It looks like there were potentially 2 issues with the CC Bill configuration:                                               #
#                                                                                                                            #
#1) The password in the CC Bill admin did not appear to be the same as the one in NATS based on the length of the *s.        #
#                                                                                                                            #
#2) The list of valid IPs for the user in CC Bill did not include any of our new ones at RH.                                 #
#                                                                                                                            #
#Both of these issues have been fixed and we should see the rebills and conversions from trial memberships resume to normal. #
#                                                                                                                            #
#David                                                                                                                       #

Here is the full defacement: http://zone-h.org/mirror/id/17184557

All emails, logins and stuff can be found on hackbb..

[alias]

Corporate bullshit FTW.

[rowan]

Quote:

Originally Posted by GFED

why is credit card information in plain text?

It needs to be in plain text in order to push through a transaction.

The question should be, why is this information available for read access on a public web server. Why isn't it on a separate backend server, which only accepts simple commands such as "charge $29.95 to credit card record #1234" and doesn't ever reveal the underlying data to the API caller?

[anexsia]

Great, it's not like it isn't already hard enough having people buy memberships for porn sites, but now customers can read news like this and wonder if the same thing will happen to their information.

[DVTimes]

the fhg were not working for me.

http://join.digitalplayground.com/ga...AyMzY2LjAuMC4w Winne FHG
http://join.digitalplayground.com/ga...AyMzQ5LjAuMC4w Kissing Cousins FHG
http://join.digitalplayground.com/ga...AyMTc5LjAuMC4w Jesse Jane Red MooMoo
http://join.digitalplayground.com/ga...AyMTc4LjAuMC4w Jesse Jane Topless Yellow Thong

[Mike Honcho]

Sorry to hear about that.

[DVTimes]

dpincbill.com

Quote:

Digital Playground is temporarily unavailable.
We are currently verifying the security parameters on this site and upgrading the entire system in order to better safeguard your information.

If you're a member, we're sorry for any inconvenience and we'd like you to rest assured that you are not being charged for your membership right now. And since this playground is unavailable, we invite you to play elsewhere FREE of charge.

Take a look at any of the products listed below. Select any ONE of the following 6 high quality products and contact our customer support department with the requested information. You will get 1 FREE month of any product you choose. Please make sure to follow the instructions at the bottom of the page

[Qbert]

Quote:

Originally Posted by drysky

All emails, logins and stuff can be found on hackbb..

If you are/were an affiliate of DP and used the same login/pass on other programs you'd better get busy changing up all your passwords.

[DVTimes]

http://www.esecurityplanet.com/hacke...te-hacked.html

The porn site Digital Playground was recently hacked by The Consortium, exposing 72,794 customers' user names, e-mail addresses and passwords, as well as more than 44,000 credit card numbers.

"They did not dump the 44,663 credit card numbers that they claim to have acquired, but note that card numbers, card expiration date, cvv and all customer billing address and contact info were in plain text,"DataBreaches.net reports.

"They provided two redacted versions of named customers as proof of that," the article states.

[DVTimes]

http://www.databreaches.net/?p=23518

The Digital Playground porn site has reportedly been hacked. Big time. The site that advertises “Porn worth paying for” may find itself paying dearly for a security breach that may have exposed over 72,000 customers’ details and over 44,000 credit card numbers.

In what they claim as their first release, a group calling themselves The Consortium (@Th3Consortium on Twitter) described the hack:

You see for a while now we have had access to digitalplayground.com, one of the five biggest porn sites in the world.
But it doesn’t need any introduction from us.

This company has security, that if we didn’t know it was a real business, we would have thought to be a joke – a joke that we found much more amusing than they will.

“This site has so many freaking holes that if I didn’t know it was a porn site, I would have mistaken it for a honeypot” – [Redacted]

We did not set out to destroy them but they made it too enticing to resist. So now our humble crew leave lulz and mayhem in our path.
We not only have the 72k users of this site but also over 40k plaintext credit cards including ccvs, names and expiry dates.
If you want to hear more about those plaintext credit cards scroll through the MySql info further down. And of course as this is a porn site
there was no shortage of .mil and .gov emails in their user list.

We also went on and rooted four of their servers, as well as gaining access to their mail boxes. Using credentials from emails
we tapped into their conference call. “Is anyone besides David on the line ?” – We were. Did we win? Sure looks that way.

Digital Playground game over.

Thankfully for the 72,794 users whose usernames, e-mail addresses and plaintext passwords were reportedly acquired, the hackers did not dump all of the data they claim to have acquired, but if they are possession of the data, that alone is cause for concern. They posted a smattering of the personally identifiable information they acquired:

■27 admins’ names, usernames, e-mail addresses, and encrypted passwords
■28 admins’ names, usernames, e-mail addresses, and encrypted passwords (some overlap with previous table)
■85 affiliates’ usernames, plaintext passwords, and in some cases, IP addresses
■100 users’ e-mail addresses, usernames (same as e-mail addresses) and plaintext passwords, and
■82 .gov and .mil e-mail addresses with corresponding plaintext passwords
They did not dump the 44,663 credit card numbers that they claim to have acquired, but note that card numbers, card expiration date, cvv and all customer billing address and contact info were in plain text. They provided two redacted versions of named customers as proof of that.

Clearly, if their claims are true (and I have no reason to disbelieve based on what they posted), this is bad. Really bad. So much personal information stored in clear text? Seriously? From Digital Playground’s Privacy Policy:

1. Information Security

Digital Playground, Inc. is dedicated to the protection of Site users’ information. To prevent unauthorized access to information provided to us, the Company uses a number of generally accepted industry standard procedures designed to effectively safeguard the confidentiality of your personal information. These procedures include secure server location, controlled access to data and equipment, robust redundant firewall software, network monitoring, adaptive analysis of network traffic to track and prevent attempted network intrusions and other network abuse and appropriate employee training in the area of data security. We shall continue to take reasonable steps to provide effective data protection at all times, however, because no security technology can provide invulnerability to information compromise, the Company cannot, and does not, guarantee the security of any information that you transmit to us or to any third party affiliated with the Site.

Apparently their dedication doesn’t extend to encrypting customer data or PCI DSS compliance.

At the time of this posting, DP’s homepage returns an error message. They have not yet responded to an inquiry I sent them this morning about the claimed hack.

h/t, Dump Centa

Update: The web site is back up with no notice and I’ve received no response to my inquiry yet. Interestingly, Digital Playground is operated by Manwin – the same firm that operates the Brazzers and YouPorn web sites that were recently in the news when they were hacked. According to Manwin’s statement in the previous reports, this site appears to have had less security than Brazzers, as in that case, user passwords were reportedly encrypted and credit card data were not compromised.

[Roald]

WOW thats must hurt them big time

[DamianJ]

Thanks DVTimes for posting the news after the OP already told us.

Useful as ever.

[anexsia]

Quote:

Originally Posted by DamianJ

Thanks DVTimes for posting the news after the OP already told us.

Useful as ever.

[DWB]

Last big security breach I remember like this was about 2 years before Manwin was born, on a system Nathan created.

Fast forward to Manwin owning the internet, then comes another big security breach on a site Nathan owns, after his biggest tube and Brazzers forum were hit.

Some guys have all the luck.

Looks to me like someone has a bone to pick with the guy / his company.

[ladida]

Quote:

Originally Posted by DWB

Looks to me like someone has a bone to pick with the guy / his company.

Nah. He's just big enough to make it into the news. Truth is that that site was breached for years, but noone cared. Most of the companies don't care even if they know it, until it hits the news. This consortium crap is probably some kids that want the fame after someone posted DP info elsewhere. Seen this MO far too many times. People just don't care until it hits the news.

Swiftwill is on the case now, i'd like to see it happen now.

[Hermes]

Quote:

Originally Posted by ladida

Quote:

Nah. He's just big enough to make it into the news. Truth is that that site was breached for years, but noone cared. Most of the companies don't care even if they know it, until it hits the news. This consortium crap is probably some kids that want the fame after someone posted DP info elsewhere. Seen this MO far too many times. People just don't care until it hits the news.

Swiftwill is on the case now, i'd like to see it happen now.

Most of the sites on the net get breached at one point or another, especially pron sites. But yeah vast majority of cases won't ever hit the public news, either the breach was not done by some attention seeking kids or the site was not big enough.

But a good reminder that it's not safe to use the same password in any place that you consider important, or the same email everywhere. And storing full cc info doesn't sound like a good practice.

And there do seem to be some common patterns in the recent news around this subject, manwin.. anonymous...

[CaptainHowdy]

That's what you get for paying for porn ...

[ladida]

Quote:

Originally Posted by Hermes

Most of the sites on the net get breached at one point or another, especially pron sites. But yeah vast majority of cases won't ever hit the public news, either the breach was not done by some attention seeking kids or the site was not big enough.

But a good reminder that it's not safe to use the same password in any place that you consider important, or the same email everywhere. And storing full cc info doesn't sound like a good practice.

And there do seem to be some common patterns in the recent news around this subject, manwin.. anonymous...

I've seen site owners that have ignored breaches completely. Only time they care is if it's made public. Also, it's quite laughable how these fame seeking kids claim "5th largest porn site with 72k users". From what i read in the release, that seems like a database with members from several years back, and if it held only 72k users, it's pretty fucking small. That would amount to few k active subscribers.

[Lykos]

Strange things going on lately

[V_RocKs]

Sucks....

[AdultEUhost]

the title is kind of fucked up

makes one believe Digital Playground hacked credit card data which got stolen afterwards

[Brujah]

Maybe it is pretty old, the emails they posted were from 2009/2010.

[DVTimes]

i wonder why they did not email webmasters to tell them.

[DVTimes]

Quote:

Originally Posted by DVTimes

the fhg were not working for me.

http://join.digitalplayground.com/ga...AyMzY2LjAuMC4w Winne FHG
http://join.digitalplayground.com/ga...AyMzQ5LjAuMC4w Kissing Cousins FHG
http://join.digitalplayground.com/ga...AyMTc5LjAuMC4w Jesse Jane Red MooMoo
http://join.digitalplayground.com/ga...AyMTc4LjAuMC4w Jesse Jane Topless Yellow Thong

they still are not working.

[NaughtyRob]

I hate when this shit happens. It makes surfers lose trust even more in joining paysites.

[AsianDivaGirlsWebDude]

From AVN:

Quote:

UPDATED - DigitalPlayground.com Victim of Huge Security Breach
Mar 07th, 2012

VAN NUYS, Calif.?DigitalPlayground.com, the flagship website of its namesake studio, was the subject of a massive security breach from a hacking collective calling itself TheConsortium, which exposed more than 73,000 email addresses, usernames and passwords of the site?s members.

DigitalPlayground.com is the third Manwin property to fall victim to hackers in short succession. YouPorn.com and the Brazzers forum also were recently hacked, but no credit card data was involved, making this breach particularly concerning.

?We did not set out to destroy them but they made it too enticing to resist,? the hacking group posted. ?So now our humble crew leave lulz and mayhem in our path. We not only have the 72k users of this site but also over 40k plaintext credit cards including ccvs, names and expiry dates.?

AVN obtained a copy of the database allegedly obtained by the group, and it contains email addresses, usernames and passwords for 73,342 people. Various versions of the list have been posted to online message boards.

The hackers did not dump all the information they claim to have acquired, but did post two redacted versions of credit card info from customers that correspond to the customer list, according to DataBreaches.net.

According to Th3Consortium, it hacked 27 admins? names, usernames, e-mail addresses, and encrypted passwords; 85 affiliates? usernames, plaintext passwords, and in some cases, IP addresses; and 82 .gov and .mil e-mail addresses with corresponding plaintext passwords.

DigitalPlayground.com currently is online but not accepting new members and its members area is temporarily inacessible. JesseJane.com, a Digital Playground-run site, is not resolving at this time.

The scope of this hack raises many questions, such has how the hackers were able to obtain credit card information since all the billing for membership to DigitalPlayground.com appears to be done through a third party processor.

Currently, all billing inquiries are being directed to a third party processor called Net Support. AVN called the number and was told that the company was brought on to deal with the aftermath of the breach, and that all members who try to log on to DigitalPlayground.com are being directed to customer support.

Previously, it looks as if Digital Playground used NATS, and within that program worked with a cascade of billers that included DHD Media, CCBill, NETBilling, Epoch and NetCash. The number of processors raises additional questions regarding the ability of hackers to attain the 44,000 complete credit card numbers that is being claimed.

UPDATE

Digital Playground has issued the following statement to AVN:

Due to an alleged security breach, Manwin elected to temporarily shut down Digital Playground, and related websites, on March 5, 2012.

Manwin officially took over Digital Playground and related assets on March 1, 2012, and according to allegations, the potential breach may have occurred prior to that date.

The safeguard and non-disclosure of private and confidential information is always a priority at our company, and management is supervising all aspects of this situation.

In addition, our customer service department has been in contact with Digital Playground members to inform them of the next steps.

Customers will not be billed while the site is inactive, and have been offered free access to a Manwin owned property of their choice during this time period.

Digital Playground.com Victim of Huge Security Breach

Some fairly prompt damage control with regards to the Members. I hope that they catch the culprits.

ADG

[19teenporn]

Good, DP rejected me as an affikate. Fuck DP!

[mikesouth]

Hey Theo....Yer welcome LOL....

[journalism]

WOW!! Get those cards and bang them all!! hahaha!! What a big loss! Kidding!!

[Barry-xlovecam]

This is a Trifecta of very disturbing news.

[gabe100]

From DP's Twitter:

We made the movie Pirates, but fight internet pirates...

Reading the damage last night how they attacked every single server one by one and laughed about. Amazing.