Former OnlyFans Employees Could Access Users' and Models' Personal Information

samleecole shares a report from Motherboard: Some former OnlyFans support staff employees still had access to users' data -- including sensitive financial and personal information -- even after they stopped working for the company used by sex workers to sell nudes and porn videos. According to a former OnlyFans employee who asked to remain anonymous because they feared retaliation, some ex-employees still had access to Zendesk, a popular customer service software used by many companies including OnlyFans, to track and respond to customer support tickets, long after leaving the company. OnlyFans uses Zendesk to respond to both users who post content and those who just pay to view that content. According to the source and OnlyFans users who spoke to Motherboard, depending on what a user is seeking help with, support tickets may contain their credit card information, drivers' licenses, passports, full names, addresses, bank statements, how much they have earned on OnlyFans or spent, Know Your Customer (KYC) selfies where the creator holds up an ID next to their face for verification, and model release forms. "It's a shame that they have this large company and feel they can play with people's lives like this," the former employee said. "There are already so many things they are in trouble for and privacy should not be one of them. Everyone on that platform, especially sex workers, need to have their information be safe and it isn't."

pretty common issue

[jarkus4]

The issue of not locking former employees out is pretty common, especially in smaller companies using multiple external tools. There are many systems, often managed by different people. All those people must get notified that they should remove access and must care about it enough to do it timely (as this isn't their main responsibility).
To avoid such mess you generally need to establish a proper employee off-boarding procedure and preferably select a single person/team to manage those accesses so its easy to notify and its a clear responsibility.

Re:

[larwe]

Came here to say something similar. This situation used to be fairly well controlled when all corporate applications ran on the corporate network and you couldn't access them from the Internet. In that universe, all you really needed to do was walk someone out the door so they had no physical LAN access, and maybe revoke a VPN credential. With the huge variety of third-party cloud-hosted apps that everyone is using now, a central SSO system is the only way to avoid stragglers like this. Not to mention the i

Re:

[Antique Geekmeister]

Especially include senior staff who leave themselves emergency backdoors to slip by VPN's. SSH or stunnel port forwarding to outside locations are especially common in envirnoments without careful network monitoring. I've had some firm security discussions with computer science professors who insisted on leaving such tunnels, especially including live VNC sessions and SSH port forwarding enabled 24x7.

The issue of leaving personal data for customers is also a problem for IT personnel and their managers. Abus

Re: pretty common issue

[carvalhao]

Itwould be quite simple for these apps to create whitelists of access points and force all users to access through the corporate VPNâ¦

Re:

[geekmux]

The issue of not locking former employees out is pretty common, especially in smaller companies using multiple external tools.

It's a problem that shouldn't be as large as it is, that's for certain. Having a solid Joiners and Leavers process is critical with today's cloud-based IT services. Easy to overlook that internet-facing administrative interface and standalone auth with a 3rd party, and next thing you know you're being hacked by your own damn tools because you forgot to lock out the ex-employee.

And from my experience the main reason this problem is so large is because Joiners and Leavers is a process usually shared between

Re:

[larwe]

process usually shared between both HR and IT

The glib answer to this is that it can be automated. You can hook hire and term events in (say) Peoplesoft to run external actions. Onboarding can be complicated because you probably need to set up a complex set of permissions based on the person's role. Offboarding is easier because you simply nuke everything. The problem, of course, is that a lot of this stuff _isn't_ integrated, even if it can be.

Re:

[arglebargle_xiv]

Yup. The only thing that makes this, uh, "newsworth" is that OnlyTits is involved. I hope they at least provided some salacious photos to draw in the clicks.

What is OnlyFans?

[anonymouscoward52236]

What is OnlyFans? They should call this OnlyStalkers. Get people to drool over other people, then have crappy security with their personal data. What could go wrong?

Re:

[geekmux]

...then have crappy security with their personal data. What could go wrong?

Facebook was practically infamous for rolling out changes that completely decimate any security you wanted or had in place. "Oops, did we do that? So sorry, we won't do it again." Then they do it a dozen more times.

Microsoft Update is rather infamous for "re-adjusting" the telemetry settings too. The only thing "new" here, is the name.

shocked!

[cascadingstylesheet]

I for one am shocked that a porn enabling site didn't have strict, civilized protocols in place!

The Gray market.

[jellomizer]

Due to Americans Puritan heritage, Sex workers, are often in a Grey Market. Which while their work is technically legal, it is also ostracized by the general public (at least publicly). This often creates a condition where regulators and general companies who would normally support such an organization to kinda shy away and let them do their thing.

About 20 years ago, a friend of mine who was working for a networking company, had a customer who did adult videos. They basically put my friend on that client

Re: The Gray market.

[MysteriousPreacher]

It's hardly the preserve of Americans. In most societies worldwide prostitution and porn aren't exactly viewed as aspirational careers. Even where legal and generally accepted, it'd be a rare parent who'd casually mention their offspring showing their cooter to thirsty guys on the Internet.

Not the only ones

[dohzer]

To be fair, most viewers know a lot of personal information about the streamers. Very personal information.