Security researchers from cybersecurity firm Wizcase discovered misconfigured databases leaking millions of records belonging to five dating service providers in the U.S. and East Asia. Wizcase stated that the leaky databases were hosted on the Elasticsearch, MongoDB, and AWS bucket servers that are made available online without password protection.
A 17MB database of the U.S.-based dating service CatholicSingles.com exposed 50,000 user records including names, contact details, email addresses, billing addresses, age, gender, occupation, and education details. Another U.S.-based dating site Yestiki exposed 43,000 records (352MB) that contained users’ names, contact details, addresses, GPS location data, user ratings, and activity logs.
The South Korean dating app SPYKX.com leaked over 37,000 users’ records (600MB) via an unprotected Elasticsearch server. The exposed data included emails, phone numbers, cleartext passwords, dates of birth, gender, education, and location data. Japan-based dating apps Charincharin.net and kyuun-kyuun.com owned by the same company exposed 102 million user profiles including users’ mobile device details, email addresses, and search preferences.
One more U.S.-based dating app Blurry leaked around 77,000 users’ private messages (3667MB), including social media and contact details.
In addition, WizCase’s security team discovered six more unsecured servers that contain information from different dating apps and sites. However, the researchers stated that the owners of the servers are yet to be found. “This information could have been collected through a process known as web scraping, but this could only explain some of the data, as parts of it do not appear to be from internet-facing web pages,” the researchers said.
Security Incidents from Dating Apps
Dating apps have been a prime target of hackers. A research by Kaspersky Lab revealed that dating apps transmit unencrypted user data over insecure HTTP protocol risking user data exposure. According to the researchers, the reason for the vulnerability was because the applications used third-party ready-to-go advertising Software Development Kits (SDKs), popular among advertising networks. Attackers also used dating apps to infiltrate smartphones used by military personnel. Earlier, hackers honey-trapped the U.K.’s Royal Air Force (RAF) personnel by hijacking an RAF airwoman’s Tinder profile. They also reached out to another RAF serviceman to get details of the F-35 stealth fighter from him.