Jessica Klein

Sex Work

A top adult site’s accidental data leak has the industry shook

A recent incident at iWantClips highlights the need for stronger protection of sex workers' personal information.

One night in September 2008, Amberly Rothfield waited inside her home, on the Fort Stewart military base in Georgia, afraid and clutching her shotgun. An apparently young, male stranger who had gotten hold of her address online had just called her and told her that he was going to murder her. He informed Rothfield that she had just four hours to live. “I was terrified,” she says.

Rothfield (her performer name) cries as she recounts this story to me at last week’s AVN, the fan-focused adult entertainment convention that takes place yearly at the Hard Rock Hotel and Casino in Las Vegas. Her big hair is up in a bun — an incognito look she uses so we can talk without the distraction of fans, of which Rothfield has many. An adult performer with videos on PornHub, Clips4Sale, and other sites, she also teaches courses on business and marketing for fellow industry participants. Performers at AVN know her for that — and for the traumatic doxxing incident she went through about a decade ago.

Rothfield’s address, the place where she lived with her military officer wife, was leaked online when she worked as a phone sex operator. At the time, Rothfield was using the image of porn actor Cate Harrington to represent her phone sex persona on her personal site, the phone sex site NiteFlirt, and the clips site Clips4Sale. Rothfield paid Harrington for exclusive rights to do so, but then Harrington won a major porn award. Given Harrington’s heightened profile, people noticed Rothfield using her image. Assuming Rothfield was falsely impersonating the actor, people got angry and somehow found and shared Rothfield’s address online. That was when the threats started coming.

“The more platforms you’re on, the more vulnerable you are.”

“I had hundreds of phone calls in the course of an hour,” she says. “I couldn’t hang up quick enough.” After the incident in which someone threatened to show up at her home and murder her — in the end, no one came — Rothfield retreated from peers in the industry for several years, though she continued to work as a phone sex operator. Eventually, she got back into the community, but refrained from putting her content on too many sites. “The more platforms you’re on, the more vulnerable you are,” she says.

The horror of her doxxing came flooding back to her earlier this month, while Rothfield was headed to XBIZ, an adult industry event in Los Angeles. She checked Twitter, and saw a tweet that made her heart sink. Someone had posted a letter they received from iWantClips, an adult clips platform Rothfield is active on, informing them of an accidental data leak.

iWantClips — used by more than 30,000 adult clip artists, who create and post short videos categorized as everything from “pillow humping” to “cleaning fetish” — is owned by the U.S.-based Gatsby Enterprises Inc. and claims to be the “fastest-growing clip site in the world.” On January 16, the company posted an official statement to Twitter saying it had “inadvertently” released the 1099 forms of 483 U.S.-based clip artists from the year 2017. All the forms had been sent to one iWantClips artist, whom the company’s vice president of operations, John Vournas, called “trusted and respected” in a statement. That artist “immediately informed [iWantClips] of the error and deleted the file from their email and computer,” per the statement. “No artist stage names were associated with this information.”

When she first saw the letter, Rothfield was across the country from her home in Ohio, which she shares with her wife and three kids. “I almost flew home,” she says. “I don’t know if it was post-traumatic stress, but it was bad.” She researched hotels for her family to stay at in case their address had been exposed and contemplated relocating permanently. Rothfield’s own letter, informing her that she might have been affected by the data release, came in the mail shortly thereafter.

iWantClips isn’t the only recent example of sex workers’ data exposure. The same day iWantClips released its Twitter statement, cybersecurity researchers from vpnMentor reported extensive data exposure from the live camming network PussyCash. They found that PussyCash, which has affiliate programs with numerous adult websites, exposed more than 875,000 data files, such as photo IDs, of more than 4,000 cam models. “It must be emphasized that no information was leaked, with the exception of vpnMentor,” PussyCash said in a statement. “We are certain they will not use it for any purpose.”

Even more recently, TechCrunch reported that an Amazon Web Services storage bucket belonging to adult messaging platform SextPanther had left 11,000 documents identifying sex workers exposed. The bucket was not password protected, and SextPanther’s operator pulled it offline shortly after TechCrunch informed him of the vulnerability.

Though the PussyCash and SexPanther incidents differed in significant ways from the iWantClips leak, all send a message to cam models and clip artists: the companies they rely on to not only do business but protect their identities may be putting them in danger.

Online data exposure is a significant concern for those working in adult. Leaked personal information can cause a myriad of woes for online sex workers, from the kind of terror inflicted on Rothfield to lesser, but still serious, effects on performers’ everyday lives.

Nicoletta Heidegger, a licensed therapist, sexologist, and host of the Sluts and Scholars podcast, has worked with multiple clients who’ve gotten fired from their vanilla jobs or otherwise suffered from being outed as sex workers. “We just had someone [on the podcast] named Mistress Snow, and when her mentor in her doctoral program found out that she was a sex worker, they dropped her from her mentorship and took away their letters of recommendation,” Heidegger says.

Clip artist Mylie Moore, a redhead dressed conservatively in a black T-shirt at Clips4Sale’s tables at AVN, tells me about a friend of hers who suffered extreme harassment after her personal information was leaked in a breach of the adult industry STD testing center, AIM, about a decade ago. Having learned her address from the leak, a man entered the friend’s gated apartment complex and posted hundreds of the woman’s porn photos throughout the property. “He even put them on the washers and dryers,” Moore says.

As news of the iWantClips leak broke, Rothfield was fortunate to be among peers who’d also been affected, at XBIZ. “The iWantClips community was able to come together and calm each other down,” she says, “because there was hysteria.”

iWantClips called the incident a “minor inadvertent data release,” which rubbed many clip artists the wrong way. On Twitter, they responded in droves. Many wrote that they felt the company was being less than transparent, and bristled at what they saw as iWantClips’ dismissive tone:

There were even tweets suggesting a class action lawsuit. Several clip artists said they were going to delete their iWantClip accounts or “clear out” their clip stores there immediately.

Mistress Vanabel, a dominatrix in West Virginia, says she deleted her account as soon as she heard about the leak. “I know of at least 25 dommes who have done the same thing this morning,” she writes in a Twitter direct message. “The biggest issue is that this happened in DECEMBER and we’re just now finding out almost a whole month later.”

Input reached out to iWantClips’s attorney, Corey Silverstein, who says that the leak occurred shortly before the holidays. “iWantClips practically immediately followed appropriate protocol and involved legal counsel,” he says. The release, he adds, was a result of human error — “one employee not following appropriate practices.” That employee was fired.

It could take more than firing the person responsible to reestablish trust with performers. Goddess Melannia, a U.S.-based domme, says she has been trying to shut down her iWantClips account since she heard about the data leak, but she can’t figure out how. She cites iWantClips’ “piss poor excuses” and the way they handled the leak. When we messaged last week, she said the company had yet to respond to her emails.

The scene at AVN reflects the industry’s ever-growing reliance on clip and cam sites — businesses that actually make money for performers in an industry hard-hit by piracy. Expo sponsor MyFreeCams.com’s green logo covers the convention halls. The company’s keychain vibrators litter tabletops, and cam models perform for virtual viewers on their laptops at long MyFreeCams tables under studio lighting, all but ignoring the flesh and blood fans parading in front of them. Other cam and clip sites, like Chaturbate, ManyVids, and Clips4Sale, take up their fair share of the convention floor. (iWantClips doesn’t have a table.) “Traditional” porn stars, those with their own meet-and-greet booths who star in produced videos, are relegated to a dimly lit room that feels out of the way.

“One thing that always does concern me is there’s really no formalized process for auditing the data security with all these companies,” says trans performer Lycha Rose, perching atop ManyVids’ elevated AVN booth, surrounded by other smiling models. She’s uploaded her identifying documents to tens of different adult sites. (“You have to diversify — especially if you’re trans,” she says. “There’s almost no trans contract performers.”) “It would be really cool to see some of the major companies in the industry come together to create some sort of independent auditing system,” she adds. “That would attract models to [participating] platforms.”

“iWantClips spends a small fortune on the latest and greatest technological tools available and are constantly focused on data protection.”

Silverstein says iWantClips is working on updating its training programs to “ensure the company’s values of data protection are met when physically handling user data,” but would not provide further details on that process. He adds that iWantClips “spends a small fortune on the latest and greatest technological tools available and are constantly focused on data protection,” but again wouldn’t be more specific.

Other sites, like ManyVids, have emphasized data security from their inception. The Montreal-based adult video site, co-founded in 2014 by CEO Bella French, now hosts about 80,000 cam performers and clip artists and has 3 million active customers. To protect content creators’ identities, all sensitive documents uploaded to the platform are kept in “secure, encrypted storage in the cloud,” co-founder and coder Gino Sciretta tells Input. Only a small number of members of ManyVids’s customer care department ever have access to the unencrypted data.

ManyVids invests heavily in their developers, who use Amazon Web Services to develop new security products in-house — something many adult sites contract out to third parties. With third parties, says Sciretta, “you don’t really know who’s working on the product or who has access to data. We’re able to really control the methods of development and the processes being put in place for security.”

Plus, CEO French, a former cam performer, has her own information on ManyVids. A fan of hers once got access to her personal information, and she never wants that to happen again. “I understand first and foremost how scary it can be,” French says.

As for Rothfield, she still has her iWantClips account. After the initial shock of the leak, she calmed down when she focused on the fact that the information had gone to just one other sex worker. “Having gone through what is the worst-case [doxxing] scenario — besides actual death or harm — this felt contained,” she says. Plus, she thinks the industry is going to “be more vigilant” with users’ information after recent leaks. “I think industry-wide, everybody felt that heart drop moment and decided to readjust,” she says.

To this day, Rothfield continues to receive threats. “Any time I move, I usually get something in the mail saying, ‘I know where you are,’” she says. She got her latest threat letter just after last year’s AVN and sent it into the FBI Cyber Division, like she always does. The FBI has caught a couple of her stalkers, she says, but not the letter writer. “A lot of people who get doxxed, they quit, because it ruined their lives,” she says. And though Rothfield didn’t let doxxing push her out of her industry, she doesn’t want anyone else to have to live in fear like she does.