Members of the porn site xHamster should be changing their passwords today after a set of nearly 380,000 usernames, emails and poorly hashed passwords appeared online.
The subscription-only breach notification site LeakBase has published the set of login credentials, which Motherboard reports were being traded online. It’s not clear exactly where the database originated, but it contains information for only a small subset of xHamster’s 12 million registered users. While xHamster doesn’t require viewers to register with the site, those who do can comment and make video playlists.
Still, the leaked information has the potential to embarrass users — several of the accounts are linked to U.S. Army and other government email addresses. If xHamster’s subscribers reused their passwords on other sites, their accounts on those sites are at risk of compromise, as well.
“The passwords of all xHamster users are properly encrypted, so it is almost impossible to hack them. Thus, all the passwords are safe and the users data secured,” an xHamster spokesperson told Motherboard.
But according to LeakBase, the passwords were hashed with the MD5 algorithm, which is considered insecure. “MD5 hashes are trivial and easy to crack,” according to LeakBase. “The fact they think the hashes are secure is a blatant example of the faulty security placed in companies even to this day.”