The personal data of millions of pornography viewers – including many IP addresses, usernames and plaintext passwords – was left exposed for weeks by a Barcelona-based company after it left a database cluster wide open.

Researchers at security firm Condition:Black discovered the database cluster containing months-worth of daily logs, and account information of “camgirls” featuring on the websites, along with which videos users were watching.

As first reported by Techcrunch’s Zack Whittaker, the databases contained logs for Barcelona-based VTS Media, include amateur.tv — the 129th most visited website in Spain, according to Alexa traffic rankings.

Camgirl Database Included “Detailed Records” 

Whittaker notes: “The logs included detailed records of when users logged in — including usernames and sometimes their user-agents and IP addresses, which can be used to identify users. The logs also included users’ private chat messages with other users, as well as promotional emails they were receiving from the various sites. The logs even included failed login attempts, storing usernames and passwords in plaintext. We did not test the credentials as doing so would be unlawful.”

John Wethington, founder of Condition:Black.told Computer Business Review in a Twitter DM: “The database in this case was an ElasticSearch database cluster (3 systems)… We see all kinds [of exposed databases] with varying levels of security controls. The ones most often left insecure are MongoDB, ElasticSearch and Data “Buckets” like AWS S3. These typically have little to no actual security setup and can be accessed with a browser.”

VTS Media did not respond to a request for comment.

Charlotte, NC-based Condition:Black offers pen testing, SOC design and consulting and other services. It runs a “internet freedom and human rights through technology programme” with a global network of volunteers. 

There are now a eye watering 2.3 billion files exposed online, owing to such misconfiguration of commonly used file storage technologies, according to digital risk specialist Digital Shadows. That includes 98 million in the UK alone.

Read this: Colossal 2.3 Billion Files Now Exposed Online