If you happen to have an account with the website EscortReviews.com, you'd better change your password right away. A database containing information on more than 472,000 site members has been posted online, reports Bleeping Computer (opens in new tab).
The database includes usernames, email addresses, IP addresses and account names for Yahoo, MSN and Skype, all of which could be used to identify members. (Members don't have to use their real names.)
- Woah face: Cyberpunk 2077 shuts down sex with Keanu Reeves
- The best identity-theft protection services
- Plus: 3.2 billion emails and passwords exposed online — what to know
The account passwords were encrypted using the MD5 "hash" algorithm, which dates from 1992 and is no longer considered safe to use. Passwords hashed using MD5 can often be easily decrypted and should be regarded as compromised. Cracked passwords could be used to hijack accounts.
EscortReviews.com is a user-driven online forum on which escorts — i.e., sex workers — in the United States and Mexico post information about themselves and their customers write about the quality of their experiences with the sex workers.
The site is currently offline, but archived versions of some of its pages are on the Internet Archive's Wayback Machine.
The most recent cached EscortReviews front page, from November, promises that "We have something for you, whether you're a male member seeking out new friends or a new lady on the scene looking to take advantage of our many opportunities to network, make new friends, or connect with people."
Bleeping Computer noted that the website was using an old version of the vBulletin forum software that's known to have security flaws and hasn't been supported since 2017 (opens in new tab). It wasn't clear whether the site itself had been breached, or an online backup of the database had been accessed.
How to make sure this doesn't happen to you
Needless to say, whether you're a sex worker or a customer, you don't want the information exposed by the EscortReviews.com data breach to be linked to your real-life identity. We hope you've taken precautions beyond just using a unique, strong password.
If you're signing up for an account with a service of dubious legality, a service that might result in a lot of embarrassment, or, in the case of many sex workers, a service that might put you in physical danger if your real name is revealed, then you've got to pre-emptively cover your tracks.
Use a burner email address that won't be used for any other account. Create a username you've never used anywhere else. (Many hackers committing online crimes have been caught because they reused usernames.)
Don't connect your account to accounts with other services. Use one of the best VPN services to mask your computer's IP address, but keep in mind that most consumer VPNs log user activity.
We'd normally tell you to use one of the best password managers to keep all your passwords straight, but in this case it might not be a good idea. Having an entry for EscortReviews.com in your password vault might raise suspicions if a friend, roommate or spouse found out.