A security researcher has discovered an unsecured online database that contains ten of millions of records, from users of a number of different dating apps.
The discovery was made by researcher Jeremiah Fowler of SecurityDiscovery.com, who said that on 25 May he “discovered a non password protected Elastic database that was clearly associated with dating apps based on the names of the folders.”
The IP address of the database is located on a US server, and according to Fowler, a majority of the users appear to be Americans based on their user IP and geolocations. However there are strong indications that the database is linked to China.
The database contains account names, location, IP addresses, age and geolocation information, and it only took Fowler “only took a few seconds to validate” people’s real identities.
“Like most people your online persona or user name is usually well crafted over time and serves as a unique cyber fingerprint,” wrote Fowler. “Just like a good password many people use it again and again across multiple platforms and services.”
“This makes it extremely easy for someone to find and identify you with very little information,” he wrote. “Nearly each unique username I checked appeared on multiple dating sites, forums, and other public places. The IP and geolocation stored in the database confirmed the location the user put in their other profiles using the same username or login ID.”
Fowler said that Security Discovery always tries to follow a responsible disclosure process, but in this case the only contact information that could be found was fake.
He did send two notifications to email accounts that were connected to the domain registration and one of the websites. A Whois domain registration search for ownership of the database revealed a Metro train station in China.
An associated phone number just gave a message that the phone was powered off.
“I am not saying or implying that these applications or the developers behind them have any nefarious intent or functions, but any developer that goes to such lengths to hide their identity or contact details raises my suspicions,” said Fowler. “Call me old fashioned, but I remain skeptical of apps that are registered from a metro station in China or anywhere else.”
Data came from the following dating apps including Cougardating (Dating app for meeting cougars and spirited young men :according to the site); Christiansfinder (an app for christian singles to find ideal match online); Mingler (interracial dating app); Fwbs (Friends with benefits); and “TS” I can.
A security expert pointed out that misconfigured or leaky databases seems to be a common security theme of late.
“Leaky databases are getting a lot of attention lately,” noted Nabil Hannan, managing principal at Synopsys. “This buzz around databases that have been misconfigured and/or that are publicly available on the internet with sensitive data highlights the need for proper security configuration. Note that this need exists for all software and its various components.”
“In this particular case, there’s a lot of personal and private information that users trust dating sites with,” said Hannan. “Although the data that was leaked did not include anything sensitive, per se, it does have usernames (from which a person’s full name can often be inferred) along with age and location information.”
“This information may be enough to allow attackers to cause some level of damage depending on the type of information publicly available about the people whose data have been leaked,” he warned.
In 2016 Adult FriendFinder, a leading dating and sex website, confirmed it was investigating reports that it has been hacked…again.
The adult website admitted in 2015 that its systems had been breached by hackers, who leaked detailed personal information on millions of users.
Do you know all about security? Try our quiz!
Money maker. Super follow feature coming soon on Twitter, will allow users to receive tips…