Security News

Former OnlyFans employees retain access to sensitive personal data

Emma McGowan 4 Oct 2021

However, employee access to — and abuse of access to — sensitive data is not unique to OnlyFans

Former employees of OnlyFans — the subscription-service website that gives people (often intimate) access to their favorite performers — retained access to performers’ and subscribers’ data, even after they no longer worked for the company, according to reporting from Motherboard. 

A former employee told the publication that they still had access to the customer service software Zendesk long after leaving the company. The employee said that OnlyFans used the software to “track and respond to customer tickets” and that they could potentially access “credit card information, drivers' licenses, passports, full names, addresses, bank statements, how much they have earned on OnlyFans or spent, Know Your Customer (KYC) selfies where the creator holds up an ID next to their face for verification, and model release forms.” Motherboard confirmed that the former employee still had access to this sensitive information.

While any “leak” of personal information and data is a major privacy and security issue, it’s especially dangerous for the sex workers who comprise the majority of the performers on OnlyFans.

“By not removing former employees’ access, OnlyFans clearly failed to do one of their core jobs: protect the privacy — and ultimately safety — of both their users and their creators,” Kay Clark, who performs on OnlyFans, tells Avast. “This is especially concerning when it comes to sex workers, who face an incredible amount of stigma for the work that we do. Information linking our work identities with our legal ones could have very real consequences if leaked, from custody issues to stalking and assault. 

Clark points out that OnlyFans is an essential part of the current digital sex work ecosystem — and that there are obligations that come with that.

“When creators join sites like OF, they agree to pay a percentage of their earnings to the site in exchange for certain services,” Clark says. “OnlyFans isn’t holding up their end of the bargain if they aren’t doing their due diligence to protect the identities of their creators.”

Employee access to — and abuse of access to — sensitive data is not unique to OnlyFans. Uber employees got caught doing it in 2016. Snapchat employees in 2019. Ring employees in 2020. Google and Facebook employees in 2021. And, most recently, the failure to completely off-board a disgruntled, fired credit union employee led to the destruction of 21.3 BG of data, which added up to $10,000 in damages.

"This incident has a clear lesson for SMBs in the importance of having proper procedures in place to revoke access for terminated employees promptly and to verify that those procedures have been followed,” Avast Senior Global Threat Communications Manager Christopher Budd writes about the credit union. “In this case, for instance, if these had been in place and followed, this entire episode likely wouldn’t have happened.”