Spanking, handcuffs, bondage: the sexual preferences of 20,000 French people flee from a forum

by admin-kervin

[Enquête Numerama] The BDSM Domi chat and dating site left the data of 20,000 users unprotected. A hacker could have gotten hold of the details of victims’ sexual preferences, and used it to harass or blackmail them. Numerama went back to the person responsible for the leak: the strange BD Multimedia group whose activity is shared between naughty sites and financial services.

Rarely has a data leak been so complete on the intimate lives of the victims. At the end of 2019, all of the data from more than 20,000 French users of the BDSM chat and dating site domi[.]com found itself exposed without protection, without the site being subjected to a cyber attack. In this leak that Numerama consulted after being alerted by a source who wishes to remain anonymous, there were, for each person, more than twenty lines of information. Above all, these lines contained details of their sexual preferences.

Domi proudly displays its status: “”. The premise is discussed by specialized blogs on the subject, but the dating forum exists from the Minitel and claims more than 38,000 registered on its home page.

Spanking, handcuffs, bondage: the sexual preferences of 20,000 French people flee from a forum 1Domi recently launched a new version of its site, which is also accessible on smartphones. // Source: Louise Audry for Numerama

To understand the severity of the leak, you have to understand what BDSM is. The acronym (for bondage, discipline, sado-masochism) includes a set of practices and sexual games, around relationships of domination and submission, fetishes, and the use of accessories (rope, swift, tongs …) ). BDSM followers have framed their activities with codes to ensure the safety and consent of all parties, but their practices are still considered “on the margins”. A majority of them therefore prefer to keep their preferences in a private setting, often anonymously.

In the wrong hands, the data from the leak would feed blackmail to the disclosure of information, discriminatory behavior or targeted harassment … We can easily imagine a scenario in which the blackmailer threatens a user to reveal his practices family, colleagues or neighbors.

  

The leak, discovered in the summer of 2019, was not repaired until January 2020. The BD Multimedia company, publisher of Domi and legal responsible for the leak, did not respond to any of our repeated contact requests, during several weeks of investigation.

Details of sexual preferences easily accessible

At registration, Domi asks you to fill in several intimate information. First, the gender: man, woman, couple, “trans / trav” (sic). Then comes marital status (married, civil partner, single, etc.), followed by “” (“hetero”, “homo / lesbian”, “bi-sexual”).

Finally, two successive screens offer you to go into detail on sexual preferences, but also leave the possibility of remaining vague. The site first asks you if you prefer games of submission, domination, or both. Then he proposes to inform 6 sexual preferences from a list of 22 choices: bondage, spanking, maid, candles, pony-girl…

Spanking, handcuffs, bondage: the sexual preferences of 20,000 French people flee from a forum 2In his registration form, Domi requests all kinds of intimate information. // Source: Louise Audry for Numerama

All this data entered in the registration form is part of the leak, because the two servers on which it was stored were not protected. Anyone could therefore consult them from a web browser (Firefox, Chrome, Edge, etc.): all you had to do was enter the server address (a series of numbers separated by dots) in the search bar.

Very precise personal data

Not only was this sexual information not protected, but it was accompanied by exceptionally precise personal data: pseudo on the site, email address, date of birth, exact GPS coordinates of the postal address and gender. With this cocktail of data, it is very easy to infer from others, such as the identity of a person. Some users also sign up with an email consisting of their real first name, last name and department, in the form. Others have indicated an email that does not reveal their identity, but it is possible to find it by searching for that email in other leaked databases. Or, it is possible to go back to the name of other people by their address with a simple search in the directory.

As for the nickname present in the leak, it allows the victim to be linked to other services that they use, and to know more and more about them. To complete the table, the IP address, the account creation date, the last connection date, and the number of public and private photos uploaded to the site are also shown.

Spanking, handcuffs, bondage: the sexual preferences of 20,000 French people flee from a forum 3Domi combines the most intimate data with very precise personal data. // Source: Louise Audry for Numerama

If an attacker has got their hands on the leak, they therefore have extremely precise data to blackmail or harass users, and several means of contact. The database can also be sold and then exploited by other cybercriminals for larger-scale attacks.

It remains to be seen whether anyone other than our source has had access to the database. There are several tools to detect attempts to connect to the corporate system, but they still need to be in place.

A common leak, very easy to spot

One of the most common sources of leakage is the location of the leak, port 9200 of two Elastic Search servers. As we explained to you in a previous survey, this technology, which is very practical for analyzing data, becomes a real headache to protect. Port 9200 may inadvertently or after changes be opened instead of being closed behind a password or other protections.

On the other hand, this type of leak is very easy to spot: during an audit – or an attack attempt -, the hackers will start by scanning the ports of the site servers, before even launching a script. And since Elastic Search port 9200 is known to be poorly protected, it will be detected during this lighting phase.

If someone had tried to get their hands on Domi’s data, they could have done so easily. But since the site is only very little known and has only a small number of users, it may have escaped the lusts.

And that is precisely what is at stake in this case: the publishing company did not want to be linked to the flaw.

Domi, well hidden under the carpet of a financial services company

Numerama went back to the person responsible for the leak, to find out if the users had been warned, as provided for in the general data protection regulations (GDPR). To find the manager of Domi, you have to go and find the name of his publishing company in his legal notice.

This is BD Multimedia, a company created in 1986 and listed on the stock exchange for 23 years, which has set foot in a whole range of activities: it started during the Minitel era on the 3615 market, then has followed in telecoms, paid games or communication print.

When our source contacted the company on November 7, 2019 to warn them of the leak – of which they were already aware – an interlocutor replied that the site did not belong to them, which is false. Since 2017, BD Multimedia has had the project of putting its past behind it and moving its activity to naughty sites in a separate structure. But she still hasn’t taken action.

Spanking, handcuffs, bondage: the sexual preferences of 20,000 French people flee from a forum 4BD Multimedia provides an organizational chart on its site. If it specifies all its brands of financial services, it does not mention Domi. // Source: Numerama screenshot

On its official website, the group now calls itself a “fintech”, one of those startups that intends to shake up the world of finance and banking with cutting-edge technology. BD Multimedia has only had this storefront since 2015, when it obtained the approval of a hybrid payment institution. In 2017, Jim Dorra – son of former CEO and company co-founder Daniel Dorra – planned to capitalize on the dynamics of the sector. He then went around the media in order to attract investors.

The group was in bad shape: its turnover had been divided by five in four years, and the manager hoped to revive the family business with a fundraising of 7 million euros. But he failed to raise the money, and the company had to cut almost half of its workforce.

Domi is part of a small sex empire in bad shape

Whether on its website or in its financial reports, BD Multimedia barely mentions one of its historic activities, the publishing of websites. The group nevertheless built, at the time of the Minitel, a small sex empire. His banner was then named Gayplanet, a dating site for gay men closed in 2017. If this site did not survive, others will continue.

Spanking, handcuffs, bondage: the sexual preferences of 20,000 French people flee from a forum 5Domi’s publisher also publishes Coquincalin, another dating site. // Source: Louise Audry for Numerama

BD Multimedia still manages Démonìa, one of the most well-known French stores (BDSM and lingerie) of lingerie and lingerie. Until recently, the group also published four forums for dating and sexual exchange: domi[.]com, coquincalin[.]com, swingers[.]com and dominated[.]com. Each forum has a slightly different target audience: swinger, BDSM fan, libertine … To take advantage of the platform, you must quickly take out the bank card. In the case of Domi, count between 8 and 12 euros per month to obtain Domi Premium and offer you access to message history, an unlimited number of searches or even all of the profiles – including private photos .

These four sites, left practically maintenance-free during the 2000s, are aging badly. In 2015, BD Multimedia therefore decided to dust off this section of its activity and chose Domi as its new storefront. The development of the platform was launched in 2016, but it is skating quickly. Started internally, the project is then entrusted to a subcontractor, a digital services company (ESN).

According to one of our sources, relations between the two companies are festering very quickly, and this conflict would have affected the security standards of the site. BD Multimedia still ends up deploying a new version of Domi, the one that is online today, despite a significant departure from initial ambitions. Contacted, the subcontractor did not respond to our requests for comment.

Spanking, handcuffs, bondage: the sexual preferences of 20,000 French people flee from a forum 6Domina and Echangisme.com are also being redesigned. // Source: Louise Audry for Numerama

Domi is not the only site to wait for a facelift. On swingers[.]com like on domina[.]com, a message announces: “”. But this facelift is lagging behind.

In its latest financial report, BD Multimedia indicates that publishing and community site activity brought in € 665,000 in the first half of 2019, which represents 13% of its turnover. “” Justifies the company to its shareholders.

In other words: protecting its users was not a priority.

What if I am a Domi user?

The data has been vulnerable for at least several months, but there is no evidence that an attacker has taken it. However, it is not possible to rule out this possibility: therefore, be even more attentive to shady emails that you may receive and, above all, change your passwords if you use these same identifiers on other sites.

The leak is now repaired – a solution was provided between the end of December 2019 and the beginning of January 2020 – and your data is therefore no longer directly exposed. If you no longer want your data to be on the forum, you can request that the company delete all traces of your data on its servers. This provision is taken into account by Domi in its “Personal data” section: “”

Front photo credit: Pixabay / CC

About ExpressVPN

ExpressVPN, Cyberguerre’s exclusive advertiser, is a premium VPN provider. It has thousands of secure servers spread across the world, allowing it to relocate its IP address and bypass geoblocks. ExpressVPN does not keep track of user activity. Its VPN application, available on computer, mobile and router, is one of the most advanced on the market.

More information on the ExpressVPN VPN solution

Share on social media

This site uses cookies to improve your experience. Accept Read more

Privacy Policy
escort malatya escort bursa escort antalya escort konya mersin escort
konya escort antalya escort malatya escort malatya escort bursa escort hatay escort kayseri escort kahramanmaraş escort niğde escort mersin escort