[BreachExchange] 5 dating apps caught leaking millions of user-sensitive data
Destry Winant
destry at riskbasedsecurity.com
Wed Jul 8 10:39:16 EDT 2020
https://www.hackread.com/5-dating-apps-leak-millions-of-user-data/
All 5 apps were exposing user data due to database misconfiguration.
The IT researchers at WizCase recently discovered data leaks and
privacy breaches on 5 different dating apps in the US and East Asia.
These breaches showcased compromised user data and sensitive
information such as names, billing addresses, phone numbers, profiles,
and even private/direct messages.
Further information proved that the profiles leaked were in millions
and that Elasticsearch servers, MongoDB databases, and AWS buckets
were these databases were hosted got exposed to public access with no
password protection or security authentication.
Applications and sites involved in the data breach
1- CatholicSingles
According to WizCase’s blog post, in the US, CatholicSingles leaked
sensitive user information including their names, email addresses,
phone numbers, age, occupation, education, and billing address. Data
ensuing users’ physical characteristics like hair, eye color, and
internet activity have also been breached.
What is more alarming is that users’ payment methods were easily
accessible as well, putting them at risk. This dating site was
exclusively made for singles looking to find faith-based partners.
2- YESTIKI
Another dating application based in the United States, YESTIKI.com,
appears as TIKI interactive on the app store leaked 4300 user records
which culminate to 352MB via MongoDB server. The data breach included
users’ real names, phone numbers, GPS location, activity logs, and
much more.
3- Blurry
A South Korean app called Blurry exposed 70,000 records via the
Elasticsearch server. The app was installed by more than 50,000 users
and was available on the iTunes app store.
However, the breach ensued private messages exchanged using the
platform. Some of the messages contained confidential information such
as Instagram handles and phone numbers.
4- Congdaq/Kongdaq
Another South Korean application called Congdaq/Kongdaq created by
SPYKX.com exposed 123,000 (600MB) user records via the Elasticsearch
server. The data leak ensued users’ private yet sensitive information
including cleartext passwords, gender, date of birth, and GPS
location.
5- Charin and Kyuun
Additionally, two dating applications in Japan called Charin and
Kyuun, although it is suspected that they belong to the same company,
exposed 102,000,000 (57GB) customer records. Both applications have
similar designs and the breach ensues the same unprotected
Elasticsearch server.
The data exposed, includes users’ email addresses, cleartext
passwords, IDs, mobile device information, and their personal
preferences.
Further investigations pursued by WizCase revealed six additional
unsecured servers that exposed dating app users’ information. However,
they were unable to locate the origin. The company believes that the
data exposed and leaks could have been through a process called ‘web
scrapping.’
Web Scrapping is a process in which the information provided by users
is collected and stored. But this isn’t limited to websites the same
analogy applies to technologies and protocols as well.
Should you be worried?
Data breach be it minor, can easily turn into an unwanted menace. User
information exposed such as their preferences, location, and passwords
can become easy targets for perpetrators. Leaked data in the wrong
hands can posit huge risks such as identity theft, catfishing and
harassment by scammers and in worst cases lead to blackmail, stalking,
and email phishing.
How to keep your data secure?
The best way to secure your data is to be vigilant and mindful about
your data when you sign up on any website including dating
applications. Also, do not use the same password for every account or
social media handles.
Make sure to select passwords that are difficult or complex enough to
decipher. Besides this, the information you give out via these
applications should be minimum. Be wary of giving your home address,
phone numbers, or even your pictures.
More information about the BreachExchange
mailing list