Cultural Attacks

There’s something quietly disturbing about discovering that a tool meant to help people wrestle with their most private habits accidentally left the blinds wide open. An app that claims to help users stop consuming pornography ended up exposing intensely sensitive personal data — the kind of stuff most people wouldn’t even admit to a close friend. Ages. Masturbation frequency. Emotional triggers. How porn makes them feel afterward. And tucked inside that data were a lot of minors, which makes your stomach drop a little when you really sit with it.

One user profile, for instance, listed their age as “14.” Their “frequency” showed porn use “several times a week,” sometimes up to three times a day. Their “triggers” were logged as “boredom” and “Sexual Urges.” The app had even assigned a “dependence score” and listed their “symptoms” as “Feeling unmotivated, lack of ambition to pursue goals, difficulty concentrating, poor memory or ‘brain fog.’” It reads less like analytics and more like a vulnerable diary entry — something that was supposed to stay locked away.

The app isn’t being named because the developer still hasn’t fixed the issue. The problem was uncovered by an independent security researcher who asked to remain anonymous. He first flagged it to the app’s creator back in September. The creator said he’d fix it quickly. That didn’t happen. The flaw comes from a misconfiguration in how the app uses Google Firebase, a popular mobile app development platform. By default, Firebase can make it surprisingly easy for anyone to become an “authenticated” user and access backend storage — the digital attic where all the private boxes tend to live if you’re not careful.

Overall, the researcher said he could access information belonging to more than 600,000 users of the porn-quitting app, with roughly 100,000 identifying as minors. That number lands heavy. It’s not abstract. It’s classrooms. It’s school buses. It’s kids who probably assumed they were talking into a void, not a wide-open window.

The app also invites users to write confessions about their habits. One of them read: “I just can’t do this man I honestly don’t know what to do know more, such a loser, I need serious help.” You can almost hear the frustration in that sentence — the messy spelling, the emotional spill. That’s not data. That’s a human having a rough night.

When reached by phone, the creator of the app said he had spoken with the researcher but claimed the app never exposed any user data due to a misconfigured Google Firebase. He suggested the researcher may have fabricated the data that was reviewed.

“There is no sensitive information exposed, that’s just not true,” the founder said. “These users are not in my database, so, like, I just don’t give this guy attention. I just think it’s a bit of a joke.”

When asked why he previously thanked the researcher for responsibly disclosing the misconfiguration and said he would rush to fix it, he wished me a good day and hung up. One of those conversations that ends abruptly, leaving a strange quiet buzzing in the room.

After the call, an account was created on the app. The researcher was then able to see that new account appear inside the misconfigured Google Firebase environment — confirmation that user information was still exposed and accessible. Sometimes reality has a way of answering arguments faster than any debate ever could.

This type of Google Firebase misconfiguration isn’t new. Security researchers have been talking about it for years, and it continues to surface today. It’s one of those problems that feels boring until it suddenly isn’t — until someone’s real life data is sitting out in the open.

Dan Guido, CEO of cybersecurity research and consulting firm Trail of Bits, said in an email that this Firebase issue is “a well known weakness” and easy to find. He recently noted on X that Trail of Bits was able to build a tool using Claude to scan for this vulnerability in just 30 minutes.

“If anyone is best positioned to implement guardrails at scale, it is Google/Firebase themselves. They can detect ‘open rules’ in a user’s account and warn loudly, block production configs, or require explicit acknowledgement,” he said. “Amazon has done this successfully for S3.” S3 is a cloud storage product from AWS that previously struggled with similar data exposure issues due to misconfigurations.

The researcher who uncovered the app’s vulnerability added that this insecure setup is often the default in Google Firebase. He also pointed a finger at Apple, arguing that apps should be reviewed for backend security issues before being allowed into the App Store.

“Apple will literally decline an app from the App Store if a button is two pixels too wide against their design guidelines, but they don’t, and they don’t check anything to do with the back end database security you can find online,” he said. It’s one of those comments that lands with an uncomfortable kind of truth — polished surfaces, shaky foundations.

Apple and Google did not respond to requests for comment.

And that’s the part that lingers. People trusted this app with their most awkward truths, their late-night regrets, their quiet attempts at self-control. Some of them were kids. They weren’t posting for an audience. They were whispering into what they thought was a locked room. Turns out the door was never really closed.

A lawsuit filed in Pennsylvania alleges that NoFap founder Alexander Rhodes was targeted in a years-long civil conspiracy involving Aylo (Pornhub’s parent company), UCLA, scientists Nicole Prause and David Ley, and academic publisher Taylor & Francis. Rhodes claims the defendants coordinated to silence and discredit him and NoFap by portraying the group and some of its members as aligned with extremist or pseudoscientific beliefs, and by promoting research asserting that pornography is not addictive and that NoFap is not an effective treatment. The suit casts Aylo as the central player in this alleged scheme, pointing to its legal efforts against state laws regulating porn and its ties to Ley as an expert witness, although the filing acknowledges no evidence that Aylo paid Prause or otherwise directly funded the researchers’ work.

The complaint seeks apologies, retractions, and gag orders and names dozens of journalists and other commentators whose largely factual reporting about NoFap is labeled defamatory. It frames the case not as a cultural debate but as a sweeping claim of disinformation, exploitation, and racketeering aimed at critics of the porn industry, while also accusing Taylor & Francis of trademark dilution and UCLA of aiding the alleged plot through employment of Prause. Observers note the contradiction between these claims and established academic and professional positions—such as the APA’s stance that pornography addiction is not a recognized diagnosis—raising questions about the lawsuit’s breadth and its implications for journalism and scientific inquiry.

NoFap Founder Sues Aylo, UCLA, Scientists & Academic Publisher AVN

Aylo leads a class of defendants in a state-level defamation lawsuit brought by the founder of NoFap, a controversial anti-pornography group.

Read More

LOS ANGELES—Collective Shout, an Australian anti-pornography group, announced Thursday that it successfully pressured Honey Birdette, the Playboy-owned lingerie retailer, to withdraw certain advertising from a shopping mall near Perth.

The group described the outcome as a “flash win” in its campaign against what it called “porn-themed” marketing.

Collective Shout, co-founded by self-described “pro-life feminist” Melinda Tankard Reist, positions itself as a prominent anti-pornography organization in Australia and has often compared its efforts to similar conservative-led advocacy groups in the United States.

Honey Birdette has been in Collective Shout’s crosshairs for years. In August 2025, the group objected to the retailer’s advertising of lingerie products featuring BDSM-inspired accessories such as chains, collars, and leashes. The complaint was filed with Australia’s advertising industry regulatory body, Ad Standards, which later closed the matter after Honey Birdette addressed the concerns. Similar cases have been raised by Collective Shout against the brand multiple times in the past.

“Playboy-owned sex shop Honey Birdette has been forced to remove two porn-style shop window ads following our reports to Ad Standards,” the blog post declared. “The ads promoting a range called ‘Sumi – Leopard’ featured objectifying portrayals of naked women.”

The complaint targeted ads promoting Honey Birdette’s Sumi collection, which the company describes as “inspired by sheer bodysuits and bodystockings.” The line includes lingerie sets, catsuits, headpieces, and other items in black and leopard print designs.

Collective Shout said the ads objectified women and were inappropriate for children visiting the Perth shopping mall. The group emphasized that the ads were displayed in close proximity to a children’s stage show, describing the venue as a “family shopping center.”

While the group highlighted this proximity in its complaint, it did not provide exact measurements of the distance between the advertisements and the stage show. Still, Ad Standards acted quickly after receiving the reports.

“Less than 24 hours after lodging our reports, Ad Standards replied with a notice advising that Honey Birdette had confirmed the ads had been ‘modified or removed and the original advertisement will not be used again on this medium,’” Collective Shout wrote in its post.

Following the removal, the group is now urging its supporters to continue the campaign by filing additional complaints with Ad Standards and petitioning executives of the shopping center’s parent company to suspend Honey Birdette’s marketing campaigns across all of their properties in Australia.

Honey Birdette, founded in 2006 in Australia, was acquired in 2021 by the NASDAQ-listed PLBY Group, parent company of Playboy and other brands, as part of a strategy to expand its global retail footprint and e-commerce operations. The lingerie chain operates stores across Australia as well as in the United States and other international markets.

LOS ANGELES — A federal judge has dismissed several trafficking-related claims filed against Aylo, the parent company of Pornhub, and credit card processor Visa, according to court orders issued Monday.

The case was brought by Serena Fleites, whose story was highlighted in Nicholas Kristof’s widely discussed New York Times opinion column “The Children of Pornhub.” In the piece, Kristof portrayed Fleites as emblematic of claims that the platform enabled illegal content, including child sexual abuse material. Fleites later disclosed that she had been victimized as a teenager and filed suit against Aylo and Visa.

The lawsuit is being heard by U.S. District Judge Wesley L. Hsu of the Central District of California. Fleites is represented by attorneys Michael Bowe and Lauren Tabaksblat of Brithem LLP, along with David Stein of Olson Sten LLP. Bowe, who previously defended former U.S. President Donald Trump and appeared in Netflix’s Money Shot: The Pornhub Story, co-founded Brithem LLP earlier this year as a boutique firm specializing in what it calls “impact litigation.”

Judge Hsu ruled that many of Fleites’ claims against Visa could not proceed. Her attorneys had sought to hold Visa liable for processing payments connected to Aylo’s platforms, then operating under the name MindGeek. However, Hsu dismissed most of these claims, finding insufficient evidence of active participation in trafficking-related conduct.

“Civil conspiracy with Aylo cannot be triggered solely by knowledge and inertia; it requires affirmative alignment with the venture’s unlawful purpose,” Hsu wrote. He added that there were “no allegations of internal Visa communications, decision-making, or admissions reflecting an understanding of MindGeek’s unlawful objectives,” noting instead that Visa appeared to have simply “continued a pre-existing business relationship in the face of controversy.”

While most claims against Visa were dismissed without prejudice, Hsu allowed parts of Fleites’ case against Aylo to continue. These include allegations tied to the Communications Decency Act and claims related to Aylo’s alleged role in the receipt, distribution, or transportation of exploitative material.

“While the court agrees that plaintiff’s pleadings as to MindGeek’s involvement in the videos as specific to her leave more to be desired,” Hsu wrote, “the court finds that these allegations paired with the general allegations found in the rest of the complaint … are sufficient at this stage of the litigation when all reasonable inferences are drawn in favor of the plaintiff.”

Hsu also dismissed claims that Aylo violated the Trafficking Victims Protection Reauthorization Act (TVPRA)through direct liability, but he allowed Fleites’ beneficiary liability claim to move forward. That provision of the law allows plaintiffs to pursue damages against entities that knowingly benefited from participation in a trafficking venture.

In addition, Hsu dismissed allegations of conspiracy between Visa and Aylo to violate the TVPRA.

A spokesperson for Aylo declined to comment beyond a short statement: “Out of respect for the integrity of court proceedings, our policy is not to comment on ongoing litigation. We look forward to the facts being fully and fairly aired in that forum.”

BOGOTÁ, Colombia — Colombia’s Constitutional Court has ruled in favor of adult performer Esperanza Gómez in her dispute with Meta over repeated suspensions of her Instagram account.

The court determined that Meta failed to apply its standards equally, noting that Gómez’s profile had not been treated the same as others with similar content.

“If social media platforms use offline activities as criteria for content moderation, they must clearly state these criteria in their community standards,” the ruling stated. “Due process must also be allowed to reasonably challenge the social media platform’s decision.”

Gómez first filed her case in 2022, arguing that Instagram’s repeated deactivations cost her millions of followers and harmed her “right to work.”

In the decision, authored by Judge Natalia Ángel Cabo, the court ordered Meta to take three corrective measures: establish a visible electronic channel for judicial notifications in Colombia, ensure moderation policies are available in Spanish on a unified website, and revise Instagram’s terms of use and privacy policy so users have clear avenues to contest moderation actions.

Following the ruling, Gómez celebrated the outcome on X. “I continued without listening to the people who told me that I would never win a lawsuit against a giant, and today we are triumphing,” she wrote. “We must know how to defend our rights when they are violated.”

The American Enterprise Institute (AEI), a conservative think tank, has raised concerns about the U.S. Supreme Court’s recent decision in Free Speech Coalition et al. v. Paxton. In a briefing published on Tuesday, Clay Calvert, a nonresident senior fellow at AEI for technology policy studies, laid out the basis for the criticism.

Calvert argued that the Court’s conservative majority created a carve-out in First Amendment protections for controversial forms of expression, such as adult content.

“To grease the skids for a decision that burdens First Amendment rights, it helps to denigrate the group that’s fighting for free speech subtly,” Calvert wrote in his AEI blog post.

Calvert is professor of law emeritus at the University of Florida’s Levin College of Law and Brechner Eminent Scholar Emeritus at the College of Journalism and Communications, with expertise in First Amendment case law and communications policy.

He noted that the Free Speech Coalition (FSC)—which describes itself as “the trade association of the adult entertainment industry based in the United States”—was characterized differently in the Court’s opinion. While FSC’s website does not use the socially stigmatized term “pornography,” Justice Clarence Thomas, writing for the majority, referred to it as “a trade association for the pornography industry.”

“Semantics matter because under U.S. law, there are three distinct categories of sexual speech: obscenity, child pornography, and variable obscenity,” Calvert explained. “Notably, pornography is not a legal term; it’s just a disparagingly loaded word. Thomas unloaded it against the FSC, making it just that much easier for adults to stomach a decision burdening their own First Amendment rights.”

Reason opines about how anti-porn groups are coming after games by pressuring payment processors

The anti-porn crusade comes for online games

Activists pressure payment processors, who in turn pressure game marketplaces. Now many video games and visual novels are disappearing.

Read More

reason.com

The Free Speech Coalition is warning that someone is targeting adult performers for identity theft.

FSC: Identity Theft Targeting Adult Performers

The Free Speech Coalition has put out an alert warning of an individual found to be targeting adult performers for identity theft.

Read More

www.xbiz.com

Itch.io is returning adult games to their platform.

NSFW Games Returning to Itch.io’s Catalog AVN

The founder of Itch.io, Leaf Corcoran, announced Thursday that his company began reindexing free adult entertainment games on the indie video game marketplace after it recently announced deindexing due to pressure from major credit card companies and payment processors.

Read More

avn.com

Gaming platform Itch.io has removed all NSFW games after being targeted by an anti-porn group.

Itch.io Removes NSFW Games After Targeting by Anti-Porn Group AVN

Itch.io is the latest popular PC gaming storefront to cave to payment processors when it comes to marketing and distributing adult games.

Read More

avn.com