SextPanther Exposed Thousands of Models’ IDs

SextPanther, the popular sexting website, has exposed thousands of photo IDs belonging to sex workers who earn commissions via the site, TechCrunch has reported.

The Arizona-based company stored over 11,000 identity documents on an exposed Amazon Web Services (AWS) storage bucket, including passports, driver’s licenses, and Social Security numbers, without a password.

SextPanther states on its website that it uses to verify the ages of models who users communicate with.

The exposed pedigree documents contain legal names, home addresses, dates of birth, biometrics, and the sex workers’ photos.

Recently, we reported on a similar cache of highly sensitive personal information of sex workers on adult webcam streaming site, PussyCash, in which ore than 850,000 documents were insecurely stored in another unprotected storage bucket.

And iWantClips recently admitted that one of its employees “inadvertently” emailed a .zip file containing 1099 tax documents for all performers from the year 2017 to an IWantClips model.

TechCrunch notes of the exposed SextPanther data:

Although most of the data came from models in the U.S., some of the documents were supplied by workers in Canada, India, and the United Kingdom.

The site allows models and sex workers to earn money by exchanging text messages, photos, and videos with paying users, including explicit and nude content. The exposed storage bucket also contained over a hundred thousand photos and videos sent and received by the workers.

It was not immediately clear who owned the storage bucket. TechCrunch asked U.K.-based penetration testing company Fidus Information Security, which has experience in discovering and identifying exposed data, to help.

Researchers at Fidus quickly found evidence suggesting the exposed data could belong to SextPanther.

An hour after we alerted the site’s owner, Alexander Guizzetti, to the exposed data, the storage bucket was pulled offline.

“We have passed this on to our security and legal teams to investigate further. We take accusations like this very seriously,” Guizzetti said in an email, who did not explicitly confirm the bucket belonged to his company.

Using information from identity documents matched against public records, we contacted several models whose information was exposed by the security lapse.

“I’m sure I sent it to them,” said one model, referring to her driver’s license which was exposed. (We agreed to withhold her name given the sensitivity of the data.) We passed along a photo of her license as it found in the exposed bucket. She confirmed it was her license, but said that the information on her license is no longer current.

“I truly feel awful for others whom have signed up with their legit information,” she said.