[BreachExchange] Happy Valentine's Day: your dating app account was hacked, says Coffee Meets Bagel

Destry Winant destry at riskbasedsecurity.com
Fri Feb 15 01:43:47 EST 2019


https://techcrunch.com/2019/02/14/happy-valentines-day-your-dating-app-account-was-hacked-says-coffee-meets-bagel/

Good news for love-seekers this Valentine’s Day. In a bit of odd
timing, users of the dating app Coffee Meets Bagel woke up this
morning to find an email in their inboxes warning that their account
information had been stolen by a third-party who gained unauthorized
access to the company’s systems.

The email keeps most details about the situation vague, saying only
that some data from users’ accounts “may” have been acquired by a
third-party who gained access to a partial list of user details. It
doesn’t say how that breach occurred, or how many users were affected.

This breach was discovered as part of a larger data dump of some 617
million account details, which recently went up for sale on the dark
web. According to the seller, the stolen account databases came from a
number of sites, including also Dubsmash, MyFitnessPal, MyHeritage,
Whitepages, Animoto, HauteLook, 500px, and several others.

The Coffee Meets Bagel breach reportedly included 673MB of data taken
in late 2017 and mid-2018. Earlier reports indicated that it could
include a name, email, age, registration data and gender.

According to the Coffee Meets Bagel email sent out to users overnight,
however, the affected information only included names and emails prior
to May 2018.

The company also reminded users that it never stores any financial
information or passwords, which means the impact of this particular
breach is relatively minor. (In fact the most newsworthy thing about
it could be why the company chose to disclose the breach today of all
days!)

Coffee Meets Bagel says it’s now taking several steps to better
protect its community going forward, including the hiring of forensic
security experts to audit its systems and infrastructure, and its
vendor and external systems. In addition, the company notes it’s still
monitoring for suspicious activity and engaged with law enforcement
about the incident. And it’s working to enhance its systems to better
detect and prevent unauthorized access in the future.

Users were reminded to be extra precautious about any unsolicited
communications that ask for personal data or direct you to a web page
where personal data is collected. But user passwords were not being
proactively reset, according to this notice.

Coffee Meets Bagel isn’t the only dating app under attack as of late.
This week, TechCrunch’s Zack Whittaker reported that many users were
complaining their OKCupid accounts had been hacked, as well.

However, OKCupid denied a security breach had taken place. That means
those account takeovers could be the result of hackers using login
information they discovered by way of some other breach – that is,
users had re-used the same email/password combination when signing up
for OKCupid as had been leaked through another attack on another site.

We’ve asked Coffee Meets Bagel if it would disclose how many accounts
were impacted and other details. We’re told that approximately 6
million users were impacted.

A spokesperson also offered the following comment:

“With online dating, people need to feel safe. If they don’t feel
safe, they won’t share themselves authentically or make meaningful
connections. We take that responsibility seriously, so we informed our
community as soon as possible—regardless of what calendar date it fell
on—about what happened and what we are doing about it.”

Coffee Meets Bagel is one of the smaller dating apps with nearly 7
million installs as of December, according to data from Sensor Tower.
But its popularity is still growing. The company to date has grossed
over $25 million by the end of last year, with users spending $900,000
in the app in November 2018, up 30 percent over the year prior.

The startup has raised just under $20 million and has been more
recently trying to position itself as an “anti-Tinder” by focusing on
richer profiles that emphasis the text, not just the photos, and
changes to how conversations work.

The full email from Coffee Meets Bagel is below:

Hello,

We recently discovered that some data from your Coffee Meets Bagel
account may have been acquired by an unauthorized party. We would like
to make sure you have the facts about what happened, what information
was involved, and the steps we are taking to help protect you.

What happened?
On February 11, 2019, we learned that an unauthorized party gained
access to a partial list of user details. Once we became aware, we
quickly took steps to determine the nature and scope of the problem.

What information was involved?
The affected information only includes your name and email address
prior to May 2018. As a reminder, we never store any financial
information or passwords.

What are we doing
We have taken steps to protect our community, including the following:

• We have engaged forensic security experts to conduct a review of our
systems and infrastructure.
• Vendor and external systems are being audited and reviewed to ensure
there are no compliance issues or third party breaches.
• We continue to monitor for suspicious activity and we are
coordinating with law enforcement authorities regarding this incident.
• We continue to make enhancements to our systems to detect and
prevent unauthorized access to user information.

What you can do
As always, we recommend you take extra caution against any unsolicited
communications that ask you for personal data or refer you to a web
page asking for personal data. We also recommend avoiding clicking on
links or downloading attachments from suspicious emails.

The security of your information is important to us, and we apologize
for any inconvenience this may have caused you. As always, if you have
any questions or need any additional information, please do not
hesitate to contact us at contact at coffeemeetsbagel.com


More information about the BreachExchange mailing list