So far, the platform has leaked more than 14 million user accounts with more than 24 GB worth of files. The server is updating itself with new information every second.
Hjedd, an infamous Chinese adult content and NSFW platform has been exposing a treasure trove of user data online since at least July 2022. This was discovered by independent security researcher Anurag Sen who confirmed to Hackread.com that the server is still exposed and publicly accessible without any security authentication or password.
For your information, a database or server exposed without security authentication means anyone with a slight bit of knowledge about finding unsecured databases on Shodan and other such platforms can have complete access to Hjedd’s user data.
According to Sen and as seen by Hackread.com, the exposed data includes the following:
- Usernames
- Nicknames
- Phone Numbers
- Member Details
- Users’ Comments
- Email Addresses
- Bcrypt Hashed Passwords
- Login Ip address and details
- Messages between Users revealing Private contents
At the time of writing, Hackread.com can confirm that the leaky server comprises details of over 14 million users with more than 24 GB worth of records.
What’s worse, the data is frequently updated with details of new and already registered users.
Damage is Already Done
Sen alerted Hjedd on several occasions but the company has so far failed to respond or secure its server. However, Hackread.com can confirm that cybercriminals have already found their way to the server and leaked the database (apparently with 13.4 million users’ accounts) on a hacker forum that surfaced as an alternative to popular and now-seized Raidforums.
Potential Threat
According to the researcher, the information stored in this database is vulnerable to spam marketing and phishing campaigns. Leaving information like username, email, and Mobile number.
Also, its effects may cause physical damage. It can cause revealing identities for the forum members. The leaked passwords, on the other hand, are hashed but they can be matched with encrypted hashes of the password list to find the plain text password for the accounts.