Hacker claims to have breached Pornhub, but Pornhub says it’s a hoax

Just days after Pornhub announced a bug bounty program, a 19-year-old hacker claimed to have breached the site—and he was selling access to others for $1,000. 

The hacker and self-described “underground researcher,” who goes by 1×0123 on Twitter, shared two screenshots as proof of his hack into the Pornhub servers. The images purport to show 1×0123 was able to upload a shell through which he could issue commands on Pornhub’s server. 

https://twitter.com/1×0123/status/731622179922706432

https://twitter.com/1×0123/status/731625184457818113

1×0123 claimed on Twitter to have exploited a vulnerability in the user profile script that handles image uploads. He was allegedly able to upload a shell through the exploit, which allowed him to browse the server and inject commands. He offered anyone access through the hole in the server for $1,000.

Selling access served as a slight to Pornhub, which recently launched a bug bounty program designed to invite hackers to search the site for vulnerabilities and offered cash rewards for finding them. Pornhub offers between $50 and $25,000 to hackers and bug seekers who report potential problems on the site.

1×0123 decided to forgo the bounty program and try to generate cash—likely less than would be offered from the bounty program—through the exploit, stating on Twitter, “i don’t report vulnerabilities anymore go underground or go away #FuckBugBounty.”

Motherboard reported 1×0123’s disdain for bug bounty programs comes from previous bad experiences. According to the hacker, he has reported previous bugs and received no reply—and no payment—from companies.

Others have levied similar complaints about bug bounty programs in the past; after Uber launched its bug-squashing initiative earlier this year through HackerOne—the same platform Pornhub uses for its program—users claimed that Uber changed the scope of what they were looking for, essentially disqualifying the bugs found after they were reported.

1×0123 has a history as a noteworthy hacker and was behind a similar attack on the Los Angeles Times earlier this year; he was recently thanked on Twitter by Edward Snowden after reporting a vulnerability in open-source analytics platform Piwik to the Freedom of the Press Foundation.

Despite 1×0123’s reputable history, Pornhub has essentially denied that he ever had access to its servers. 

“The Pornhub team investigated the claim from the hacker named 1×0123. Our investigation proved that while those screenshot might look realistic to people without knowledge of the underlying infrastructure, the attack as described by the hacker is not technically possible,” a spokesperson for Pornhub told the Daily Dot. “This incident was merely a hoax and no Pornhub systems were breached during those recent events.”

According to a report from CSOonline, Pornhub engaged in communications with 1×0123, but it abruptly ended after the hacker provided conflicting information and ended the chat session with the company.

Pornhub’s account would seem to run counter to 1×0123’s, who claimed to have sold access to the porn site’s servers to three separate people. Reportedly, he offered to help Pornhub patch the vulnerability for $5,000; previously he told Motherboard he would help them fix it in exchange for a premium account.

The Daily Dot reached out to 1×0123 for comment but has not received a response. A recent tweet posted by the hacker may indicate that he isn’t interested in speaking on the topic. 

https://twitter.com/1×0123/status/732247146322382848

Pornhub would not comment when asked if any money was exchanged between the site and 1×0123.

Update 3:47pm CT, May 16: The hacker who claims to have breached Pornhub originally told Motherboard that he was 19. He later told Motherboard that he lied about his age and now refuses to disclose it. 

Update 12:44pm CT, May 17:  1×0123 told the Daily Dot that the issue he claims to have discovered on Pornhub has now been patched, but he sold access to three people when the vulnerability was available. The hacker claimed to have given Pornhub the “full details” about the exploit. “They claimed it was a hacked test server on same hosting they used and they deny it was hacked to cover up the story,” he said.

1×0123 claimed that he has hacked “big, high profile companies” before and “never in my life talked to a stupid fucking developers like Pornhub.” According to the hacker, he is unsure why Pornhub is trying to “cover up” the story, but doesn’t particularly care what the company says. “I already got money from it and people who purchased it are still happy and still in contact with them,” he said.

When asked if he could provide additional evidence of the hack, 1×0123 declined. He also declined to provide proof of the transactions to sell access to the supposed exploit, claiming he was protecting the identity of his clients. When asked if he received any payment from Pornhub for his help in supposedly fixing the vulnerability, he declined to comment but added, “How the fuck they gonna pay when they have stupid developers who claim there server cannot execute php? While the site is runing [sic] php.”

When presented with 1×0123’s claims that the hack was real, a spokesperson for Pornhub replied, “We deny that.” 

H/T CSOonline