[BreachExchange] Rela, Chinese Lesbian Dating App, Exposed Personal Data of 5.3 Million User Profiles

[Destry Winant]

https://www.technadu.com/rela-chinese-dating-app-exposed-data-5-million-users/63131/

- Rela has left a server unprotected since last summer, exposing 5.3
million user profiles of their platform.
- Homosexuality in China is legal but still seen with great
conservatism, so the risk for the exposed individuals is high.
- The identities of the users remain protected, but there’s enough
information to identify them, including highly private data.

A personal information leak is always a lousy incident for those
affected, but when the leaked data puts you in danger and social
discrimination, the problem doubles. Rela, a popular Chinese dating
app for homosexual women, should have made a much more responsible
effort to secure the profile information of its users, as it has
exposed 5.3 million of them. The discovery was made by security
researcher Victor Gevers, who has found one of the company’s servers
that was accessible without password protection. According to the
researcher, the database has been exposed since June 2018, but he had
made the discovery only last week.

Each of the 5.3 million profiles that were contained on the server in
question includes the user nicknames, dates of birth, ethnicity,
sexual orientation and preferences, height, weight, and general
interests. For many of these profiles, there’s also precise
geolocation data (depending on the account settings), and their
private “moments”, or status updates. As Gevers told TechCrunch, which
was the first to receive the tip: “The privacy of five-plus million
LGBTQ+ people face a lot of social challenges in China because there
are no laws protecting them from discrimination. This data leak that
has been open for years makes it even more damaging for the people
involved who were exposed.”

Homosexuality in China has been rendered legal in 1997 and
declassified as a mental illness in 2001, but LGBT protection laws
have not been established in the country yet. Same-sex couples cannot
seek legal protection against discrimination, cannot marry, and don’t
have the right to adopt children. With the anti-discrimination
provisions missing from the Chinese Constitution, the people who had
their profiles leaked are now facing a host of problems, from risking
their employment to bullying, getting banned from personal expression
platforms, and even not being permitted to blood donation and
reception anymore.

Rela was even bashed in May 2017 by the Chinese authorities, and as
reported by the BBC, conservatism in the country has led to the
unofficial shutdown. Following a move to a new cloud provider, the app
returned in May 2018, and so the unprotected server remained
misconfigured since then. Rela responded by stating that the server is
now protected, but no further details or explanations were provided.