Recently, security researcher Jeremiah Fowler discovered and reported to WebsitePlanet about two non-password protected databases containing over 18 million records. Upon further investigation, it was identified that these records belonged to a Brazilian escort service and application called Fatal Model.
I originally discovered an exposed cloud database that contained log records with references to Fatal Model, a website that claims to be the largest escort service in Brazil. The logging records revealed data related to both clients and escorts, including email addresses, account details, and device information. Upon further inspection of the logging records, I also found access keys and storage information of Fatal Model’s AWS storage account, which was also non-password protected. As an ethical security researcher I never bypass credentials or access password protected information. The database contained a massive amount of information, escorts’ images, and internal files, including application files and source code. This finding is a perfect example of how one data exposure can lead to the identification of other vulnerabilities or weaknesses in other areas of a company’s network.
The logging database was closed to public access the same day I discovered it, while the AWS database remained open until I sent a responsible disclosure notice. Later on, I received a reply from Fatal Model letting me know that the logging database was secured, yet the AWS bucket contained publicly available data. The technology team from Fatal Model was very professional and acted fast on securing the database.
According to their website: “The Fatal Model site was created in 2016 with the mission of empowering professionals in the adult market, breaking taboos about the profession and acting as a facilitator in contact with customers through technology. The platform is Brazilian and in 2020 it registered more than 100 million users and 275 million accesses”. What the database contained:
The logging database contained 14,669,275 records and had a total size of 19.17 GB.
The AWS storage cloud contained over 3,507,180 files and a total size of 700GB.
The AWS account had a folder named “2022”, there were 35,400 escort accounts with images and videos used for verification and advertising or service offerings.
In a folder named “2023”, there were an estimated 33,900 escort accounts with verification images, pictures, videos and in a limited sampling I didn’t see duplicates.
Additionally, the database contained application, install, and development files, admin access tokens, and user device information. It also showed email addresses, names, user ID numbers, and more.
This screenshot shows how a Fatal Model user’s email, phone number, and device information appeared in the log records.
This screenshot shows the structure of the URLs of their users’ admin panel that exposed the escort’s or customer’s name. Despite using a generic ID number to try and make the user anonymous, the URL contained potentially identifiable information.
This screenshot shows how the logging records exposed device details and internal records.
This screenshot shows what appears to be a verification image of an escort, depicting her face, name, and the date. This screenshot, provided in the context of highlighting data vulnerabilities, has had all identifiable features obscured to uphold privacy standards and ethical reporting guidelines.❮❯
Prostitution in Brazil has been legal since 2002 and is officially recognized by the Ministry of Labour and Employment’s Classification of Occupations. An escort service data breach can pose significant potential privacy risks to both the escorts and the clients. Escorts and clients assume some level of privacy when using the Fatal Models app and web services. Any data breach that exposes personal information, images, or other details could potentially lead to harassment or reputation damage. Hypothetically, cybercriminals could launch a blackmail or extortion campaign against escorts or clients by threatening to publicly expose sensitive or private information for financial gain.
The risk of exposed development and installation files can have numerous potential security and privacy implications. JavaScript files (.js) can contain client-side code, which might include sensitive information such as API keys, authentication tokens, or other additional credentials. Once this information is exposed, malicious actors could gain unauthorized access to systems or resources using the exposed credentials. The exposed SDK files could identify an organization’s technology stack, development strategies, and proprietary algorithms, potentially undermining the business and the users of their technology.
The internal database could also expose third-party software or other information about the network, which could identify known vulnerabilities, misconfigurations, or insecure practices to further compromise systems or launch future attacks. Another risk is that exposed development files could allow cybercriminals to inject malicious code into the leaked files or replace them with compromised versions. This could allow the distribution of malware, viruses, or other malicious scripts when users download the compromised files. It could happen unknowingly to both users and the developers of Fatal Models. I am not implying or assuming that anyone else gained access to these records and only an internal forensic audit would identify who accessed the exposed data.
Fatal Models uses advanced technology to verify the identity of escorts and clients, ensuring they are real people and not fake accounts. This suggests that the records, images, and contact details exposed in the database belong to real individuals. The files indicate that users were verified by a biometric software company, which specializes in recognition technology that authenticates individuals based on their facial features.
The findings and observations mentioned in this article are purely based on the data available at the time of our investigation, and we do not imply or infer any kind of intentional misconduct or negligence on the part of Fatal Models. We also imply no wrongdoing by Fatal Models and only publish our findings to raise awareness and promote cyber security best practices. Our goal is to advocate for stringent cybersecurity practices across the digital landscape. Experiencing a data breach as a customer can be unsettling, but being informed and understanding the potential risks can help you handle the situation. I hope my discovery and report helps raise awareness among those individuals who suspect that their data may have been exposed and be aware of any suspicious activity on their accounts or identity.
Here are three steps you can take after you were involved in a data breach.
Monitor Other Important Accounts: Regularly reviewing login details or IP locations can help you identify suspicious activity or attempts to access your account. Make sure to review your financial and bank accounts for unauthorized charges or other types of suspicious activity. Also, keep in mind that compromised social media accounts can be used to log in to other applications or services and can put your contacts at risk, so it’s important to monitor them, too.
Update Your Passwords: If you were the customer of a company that had a data breach, there is a chance your login credentials, usernames, and passwords were exposed. I would advise to change your passwords both in the compromised account and on any other one that may be connected. Be sure to enable Two-Factor Authentication (2FA) for an additional layer of security and never reuse passwords. If you need to, you can use a password manager to help keep track of your login details for each account
Threats of Phishing: Any data breach can be a gold mine for scammers and cybercriminals. After a large number of emails and other personal information is leaked or exposed, criminals could send out messages to customers or employees, pretending to be from the company that had the data exposure. I recommend that you be cautious of unsolicited emails that request personal information or contain suspicious website links. As a general rule, never give your personal data or payment information via phone or email.
Jeremiah Fowler is a Security Researcher and co-founder of Security Discovery. Jeremiah began his career in security research in 2015 and has a mission of data protection. He has helped identify and secure the data of millions of people around the world. His discoveries have been covered in Forbes, BBC, Gizmodo, among others. Security and responsible disclosure are not only a passion, but a way of protecting our digital lives.
Thank you, - your comment was submitted successfully!
We check all user comments within 48 hours to make sure they are from real people like you. We're glad you found this article useful - we would appreciate it if you let more people know about it.
Share this blog post with friends and co-workers right now:
Thank you, , your comment was submitted successfully!
We check all comments within 48 hours to make sure they're from real users like you. In the meantime, you can share your comment with others to let more people know what you think.
Thank you for signing up!
Once a month you will receive interesting, insightful tips, tricks, and advice to improve your website performance and reach your digital marketing goals!
So happy you liked it!
Share it with your friends!
Or review us on
3136955
50
5000
64936132
This page isn't yet translated into . If you wish to volunteer and translate it, please contact us using the contact us page
