Model Mayhem suffers second security breach in nine months revealing private member information

Late in the afternoon of January 10th, 2011 members began reporting getting logged in as some other members giving them complete access to another members’ account including private emails. This is the second time this has happened in nine months. The first time was back in April 2010. During that incident, Model Mayhem refused to send out a site wide announcement alerting members to the security breach.

Late in the afternoon of January 10th, 2011 members began reporting getting logged in as other members giving them complete access to another members’ account including private emails. This is the second time this has happened in nine months. The first time was back in April 2010. During that incident, Model Mayhem refused to send out a site wide announcement alerting members to the security breach. They elected instead to send out limited emails to some members whom they suspected were affected. At the time, I pointed out that such limited notifications were inadequate. Model Mayhem’s email system, which does not allow permanent deletion of emails, shows both sides of the conversation so a single account breach exposes hundreds of other members’ email conversations if that one member had exchanged emails with hundreds of members. It is simply impossible to determine which accounts were compromised.

Model Mayhem fails to notify members

Site problems on Model Mayhem are common and some may argue that it’s not unexpected for a site of that size and complexity. Site administrators and moderators have no control over technical problems on the site but admins do have control over how they handle notifications and alerts and on that front, they have failed miserably again. There were no site wide announcements, no updates on their Facebook page, Twitter page, Blogger page, and their Myspace page has not been used since November 2009. In a forum thread for site related matters, a mod actually forwarded the position that since moderators know nothing more than members, nothing really needs to be said. However, a simple site wide announcement alerting members of a possible breach of their private information is the responsible thing to do and may be required under many States’ security breach notification laws.

This one particular security breach occurred on the heels of a week long problem where members were not able to login from certain locations. The problem appears to be connected to one or more of Model Mayhem’s https authentication servers. As of this writing, it is unknown if any fixes have been attempted. The site has gone up and down 26 times in the last 24 hours.

Since the problems are related to their htts authentication servers and this is the second breach in nine months without the site taking appropriate steps to notify members, members should think twice before submitting any sensitive data on Model Mayhem including using a credit card to purchase any services from Model Mayhem. I am also recommending members change their password to one that is unique to Model Mayhem so if it is ever revealed, they won’t have to change it on any other sites that share the same email and password combination. As always, never reveal any financial information in private email. At this point, members should consider their private emails on Model Mayhem as anything but private.

  • For more information on protecting your privacy and the steps to take if you suspect your account may have been compromise, read this section from my post from the last time I wrote about this very same problem.
  • To get instant alerts of Model Mayhem going down, follow this Twitter account.
  • If you are having problems logging into your account, using a proxy server such has www.hidemyass.com or www.kproxy.com will allow you to log in.
  • Admin

    I’ve never in my life seen people who claim to be grown men worry so much about what happens on a web site they got kicked off from. Isn’t this 10 year old shit? I mean, and you fucks have a facebook page too? Put on your big girl panties and grow up some. Boo Fucking Hoo??

    • Get a Life

      My oh my, I’m not the only one that thinks this is all nonsense.

      This isn’t a grown man you are dealing with on here… Just another whining sissy behind a computer screen.

      • So says the whining sissy posting from a fake id.

        • Get a Life

          Some reason you are posting the IPs?

          69.234.23.117

          • Get a Life

            Oh. All very cryptic

            Here I’ll do it myself:

            69.224.224.178

  • Gkolack

    Is that you, Keeling?

  • Nameless

    Funny as hell you still can not connect all the dots here. Your vendetta with Model Mayhem seems to be giving you tunnel vision.

    69.224.224.178

  • Ooooh, looks like this hit a nerve over there on Mayhem. The place has had monster security holes since day one, not to mention the all the doors that are just plain left unlocked.

  • Whateverurmodelis

    Model Mayhem has become the dirt hole of modeling. It used to be a great place, but now it’s infiltrated with wannabe photographers. The old moderators were better.

  • The newest trick is a link to “Model Mayhem” that will ask you to log in, the page actually steals your pass word then pretty well seamlessly directs you to Model Mayhem’s site. Many accounts have been breached this way, a conservative estimate being upwards of 200.

    The spoof link is fairly sophisticated and it seems that the culprits rotate the url very regularly.

  • Mike F.

    This is nothing new. Since it’s inception, ModelMayhem.com has been hacked, and the hacker use the new daily email addresses to sell for $1 each to Chinese bulk email hosts. The hacker do not disable the site because it is a source of active email addresses.

    The site itself was sold back in August 2008 and payment was not rendered because 3rd party source proved that 69% of it’s traffic was false. A legal battle has since been ensuing between Tyler and Internet Brands, though Tyler was found to be in breach of contract for the false traffic.

  • Pingback: Double Secret Probation | Visifoto Blog()