Data breach exposes 470,000 sex workers and customers: What to do

Stylized photo of legs of a man and woman in partial silhouette in a darkened bedroom.
(Image credit: Tero Vesalainen/Shutterstock)

If you happen to have an account with the website EscortReviews.com, you'd better change your password right away. A database containing information on more than 472,000 site members has been posted online, reports Bleeping Computer.

The database includes usernames, email addresses, IP addresses and account names for Yahoo, MSN and Skype, all of which could be used to identify members. (Members don't have to use their real names.)

The account passwords were encrypted using the MD5 "hash" algorithm, which dates from 1992 and is no longer considered safe to use. Passwords hashed using MD5 can often be easily decrypted and should be regarded as compromised. Cracked passwords could be used to hijack accounts.

EscortReviews.com is a user-driven online forum on which escorts — i.e., sex workers — in the United States and Mexico post information about themselves and their customers write about the quality of their experiences with the sex workers. 

The site is currently offline, but archived versions of some of its pages are on the Internet Archive's Wayback Machine

The most recent cached EscortReviews front page, from November, promises that "We have something for you, whether you're a male member seeking out new friends or a new lady on the scene looking to take advantage of our many opportunities to network, make new friends, or connect with people."

Bleeping Computer noted that the website was using an old version of the vBulletin forum software that's known to have security flaws and hasn't been supported since 2017. It wasn't clear whether the site itself had been breached, or an online backup of the database had been accessed.

How to make sure this doesn't happen to you

Needless to say, whether you're a sex worker or a customer, you don't want the information exposed by the EscortReviews.com data breach to be linked to your real-life identity. We hope you've taken precautions beyond just using a unique, strong password.

If you're signing up for an account with a service of dubious legality, a service that might result in a lot of embarrassment, or, in the case of many sex workers, a service that might put you in physical danger if your real name is revealed, then you've got to pre-emptively cover your tracks. 

Use a burner email address that won't be used for any other account. Create a username you've never used anywhere else. (Many hackers committing online crimes have been caught because they reused usernames.) 

Don't connect your account to accounts with other services. Use one of the best VPN services to mask your computer's IP address, but keep in mind that most consumer VPNs log user activity. 

We'd normally tell you to use one of the best password managers to keep all your passwords straight, but in this case it might not be a good idea. Having an entry for EscortReviews.com in your password vault might raise suspicions if a friend, roommate or spouse found out.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.