Hackers Collect £15,000 For Pornhub Exploit

Three security researchers have collected more than $20,000 (£15,000) in bounties after gaining access to the inner workings of a major pornography website, including sensitive data on its users.

The hackers, one of whom is a software engineer intern at Google, were awarded $20,000 under a bounty programme run by Pornhub, and another $2,000 from the Internet Bug Bounty programme for finding two serious flaws in PHP in the course of their activities.

Database access

Ruslan Habalov, a security researcher and Google intern, carried out the complex hack along with penetration tester Dario Weißer and a third individual using the handle cutz, Habalov said in a detailed blog post.

The attack, carried out in May, would have allowed hackers to copy the site’s complete user database, track user behaviour, leak the source code of all the sites hosted on the server and gain root access to the system, Habalov said.

“Due to the nature of our attack we would have also been able to execute other commands or actually break out of PHP to run arbitrary syscalls,” he wrote.

The site fixed the issue immediately by changing the behaviour of PHP, and the two PHP bugs were fixed in late June, according to Habalov.


The exploit demonstrates the continued vulnerability of major websites and the user data they hold to less scrupulous hackers, who have in recent weeks leaked data on hundreds of millions of users of sites including LinkedIn and MySpace.

The password data from LinkedIn has since been used to breach other accounts held by prominent individuals, including Facebook chief executive Mark Zuckerberg, who used the same password on multiple services.

Another recent hack affected about two million users of Ubuntu Linux’s user forums.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

AT&T Admits Data Breach Impacted “Nearly All” Customers

American telecommunications giant AT&T admits that “nearly all” customer accounts were compromised in 2022 breach

13 hours ago

Elon Musk’s X Breached DSA Rules, EU Finds

X's Blue checks 'used to mean trustworthy sources of information. Now our preliminary view is…

17 hours ago

Japan’s SoftBank Acquires AI Chip Start-up Graphcore

SoftBank Group has purchased another British chip firm, with the acquisition of Bristol-based Graphcore Ltd…

18 hours ago

Samsung AI-Upgraded Bixby Voice Assistant Coming This Year

Samsung reportedly confirms it will launch the upgraded voice assistant Bixby this year, that will…

1 day ago

Next Neuralink Brain Implant Coming Soon, Says Musk

Despite an issue with first Neuralink implant in a patient, Elon Musk says second brain…

1 day ago

EU Accepts Apple’s Legal Commitments To Open NFC Access

Legal commitment over Apple's NFC-based mobile payments system, which is to be opened to rival…

2 days ago