Some former OnlyFans support staff still had access to user data, including sensitive financial and personal information, even after they stopped working for the company used by sex workers to sell nudes and sex. porn videos.
According to a former OnlyFans employee who requested to remain anonymous because they feared retaliation, some former employees still had access to Zendesk, a popular customer service software used by many companies, including OnlyFans, to track and respond to customer support tickets, long after they leave. the company. OnlyFans uses Zendesk to respond to both users who post content and those who simply pay to see that content. Motherboard was able to corroborate this with access from more than one former employee.
Depending on the source and OnlyFans users who spoke to Motherboard, depending on what a user is looking for help with, support tickets may contain their credit card information, driver’s license, passports, full names, etc. addresses, bank statements, how much they’ve earned on OnlyFans or past, Know Your Customer (KYC) selfies where the creator holds ID next to their face for verification, and model release forms.
This source showed Motherboard the access they still have, long after they stopped working for OnlyFans.
“It’s a shame that they have this great company and feel they can play with people’s lives like that,” said the former employee. “There is already so much that they have issues with and privacy shouldn’t be one of them. Everyone on this platform, especially sex workers, needs to have their information safe and secure. ‘is not the case. ”
When a creator creates a profile, OnlyFans support assures users that “the verification process is strictly confidential and that this information is not shared with anyone,” according to a support email received by Motherboard during creation. of an account.
Motherboard emailed the general media inquiry email address of OnlyFans and specific representatives multiple times, and sent direct messages to two OnlyFans Twitter accounts, but the company did not respond. at our request for comment on a potentially very serious security risk.
Allowing a former employee to access users’ personal information would pose a risk to user safety on any service, but sex workers and adult entertainment artists are particularly at risk as they are often targeted by because of the stigma surrounding their profession. For people who only use OnlyFans to pay for content, the leakage of personal information can be particularly dangerous as that information could be used to make them sing. Motherboard has repeatedly reported on “insider threats,” where employees of technology companies use their privileged access to data to inappropriately spy on users or colleagues. This happened at Facebook, Snapchat, hacking company ONS Group, owned by Amazon Ring surveillance company, and many other companies. It is particularly dangerous for former employees to retain privileged access to sensitive data.
“Like any platform, you have to be careful, but we’re often the last to know when it comes to hacks or data leaks,” one creator of OnlyFans, who requested anonymity, told Motherboard. because they are still using the platform. “At the end of the day, all platforms come with some risk and as much as I can advise other creators on how to protect their sensitive data, there isn’t much we can do if the leak is from the platform. form itself. “
In 2016, 800,000 Brazzers accounts have been exposed in a data breach. In 2019, the personal data of more than one million users of the Lucious porn site has been exposed in a security breach. And in 2020, researchers discovered a data leak of the models’ personal information from a vulnerability in PussyCash.com, a company that owns several adult websites, including ImLive.