YouPorn passwords available for download, thousands of users exposed

I'm CTO for Manwin Canada and ultimately responsible for YouPorn.<p>It's unfortunate that people are associating chat.youporn.com to the actual YouPorn.com site, but they are not affiliated at all. It was operated by a completely separate entity, which we've obviously closed as soon as we discovered it. The accounts on chat.youporn.com are different than the accounts on YouPorn. Though as was mentioned, it is probably that some have re-used the same username password combination that is highly unrecommended for all you folks out there (if you read Hacker News, you already know that).<p>As for password policies, I've been enforcing hashing of passwords ever since joining, though as we inherit a lot of old code and sites we correct issues such as that as we come across them.<p>I'll be around for a while, if anyone wants to ask questions.

<a href="http://blog.youporn.com/youporn-data-not-exposed/" rel="nofollow">http://blog.youporn.com/youporn-data-not-exposed/</a><p>It was actually the passwords to YP Chat, not Youporn itself. The Yourporn guys are pretty reasonable engineers and sysadmins, from what I've seen, and manage user passwords correctly.<p>Personally, I think in 2012, if you're not using a password manager to generate and manage unique, strong passwords per site, especially for "sketchy" stuff like porn sites, you're already doomed.<p>Also, Presidents Day and other minor useless holidays are great times for annual rituals like tracking down and changing any legacy shared passwords you may have. Don't wait for a breach!

How many sites need to be humiliated like this before people learn to hash passwords with something like bcrypt? It's like two damn functions. You just call them! It's so easy that even a baby squirrel could do it! There is no excuse.<p>Until then, I hope everyone is using a throwaway password for accounts that can be non-disastrously stolen, and using strong unique passwords for the important ones.

Kudos on the double entendre in the title, intentional or not.

Top 10 domains: 1469 yahoo.com / 1071 hotmail.com / 882 gmail.com / 205 hotmail.co.uk / 178 web.de / 136 gmx.de / 127 aol.com / 116 hotmail.de / 115 live.com / 104 hotmail.fr<p>Top 10 passwords: 110 123456 / 75 123456789 / 30 12345 / 23 melinda / 19 fuck / 18 1234567890 / 17 Nightmare / 16 allzen / 15 password / 15 anal<p>That's of about 6400 records.

<a href="http://pastebin.com/yJ8JU45W" rel="nofollow">http://pastebin.com/yJ8JU45W</a>

Everything was on <a href="http://chat.youporn.com/tmp/" rel="nofollow">http://chat.youporn.com/tmp/</a> completely open to the public so this is an even bigger screw-up than the fact that they didn't hash their passwords.

Link to the password dump: <a href="http://pastebin.com/ieC6eTB7" rel="nofollow">http://pastebin.com/ieC6eTB7</a>

Why would anyone sign up for a porn site with their main email address? What baffles me even more is how some people actually whip out their credit card and give the digits to a porn site.

Someone should make a site where you sign in with your Gmail account and find out how many of your contacts have youporn accounts.

And all this after all the press about them moving their entire stack to Redis etc etc. How can a company achieve such an epic technical feat and have shitty password hashing?

I don't understand how this makes it to Top News. I think at this point we are all well aware that no user-password store is impenetrable or invulnerable and porn websites would hardly be an exception. If you do not know by now that you should not be using the same password across multiple accounts, it seems like there is little hope. There is no lesson to be learned here. Is it not an implicit assumption that if you subscribe to a porn website someone is mostly likely going to find out one way or another?<p>1. Don't reuse passwords. 2. Don't subscribe to porn sites if you have something to lose from someone finding out.

This has been passed around a certain anonymous messageboard for the better part of a week now, i'm surprised sophos has taken this long to write anything about it!

Bonus: it appears YouPorn has no way to change your password, nor any way to change (or even see) the email address that is associated with your account.

Always good to have a throwaway email, username and password for sites like this and others you care little about.

How do passwords get leaked? Does it mean they were stored in plain text?

so who is going to be the first person to parse this out and determine what the most commonly used password is?<p>Any bets on asdfghjkl;' ??<p><i>i think i'll do this tonight</i>

YouPorn: where everything is exposed.