Porn advertisers target California secretary of state’s website

The state of California’s official business registration website appears to have been compromised by pornography and cash app peddlers.

Google users searching for information related to the California secretary of state were directed to PDFs with links and titles that include “My friends hot mom” and “Japanese Sex Video Porn Videos sexy.”

Those links, which appear connected to the state government website, were interspersed with a legitimate web address for the business services provided by the secretary of state.

The links, once opened, direct users to porn sites.

A representative for the secretary of state’s office said Friday that the agency removed several documents. A bad actor uploaded non-business documents to the secretary of state’s online business filing system, which were then publicly accessible via external links, a spokesperson said.

“It does not allow exposure of any other [Secretary of State] documents or data,” according to the spokesperson. “Due to the nature of an ongoing investigation, we cannot publicly disclose further details.”

“Traceability of the bad actor is not available at this time. Our primary focus is to mitigate the file upload issue.”

The secretary of state handles business registration filings and oversees elections.

Multiple government sites across the country reported similar attacks in the last several weeks.

The website for the state’s Mojave Desert Air Quality Management District last month was targeted, KBAK-TV reported. A representative for the air quality district told the television station the issue was related to their web-hosting partner, Granicus.

Another news outlet reported that the website for the Kansas attorney general’s office was targeted with links promoting AI-generated nude photos. The issue involved a third-party platform, KWCH-TV reported.

Granicus told the news station that it is “aware of reports regarding illicit content being uploaded through government websites. Among the government agencies mentioned in these reports, a small subset are Granicus customers.”

“In the few incidents affecting Granicus customers, an individual (or individuals) attached illicit content to a public form they submitted through a government web portal intended for communicating resident feedback or service requests,” Granicus told The Times. “The attachment was then indexed by Google, causing it to appear in search results. While the above feature was intended by governments to provide transparency and good customer service, it has been abused in these instances.”

The company also said that there has been “no breach of Granicus systems or products, nor exposure of any data.”

Brian Penny, a freelance journalist and AI researcher in Tucson alerted The Times to the secretary of state links. He said he first discovered an AI sex ad linked to the Nevada Department of Transportation last month.

Since then, he has tracked 38 government agencies in 18 states and three countries that have been targeted by porn, video game, crypto currency and other advertisers.

He said he is reporting the links to many of the government entities.

One concern, he said, would be if a government employee clicks on a malicious link and bad actors are then able to find out personal information about citizens or to email from a government account and send citizens traffic bills, for instance.

“This is a huge thing,” Penny said. “All of our city and county governments need to be focused on cybersecurity right now. If the government’s not safe, how safe are you?”