[BreachExchange] Dating app suffers data leak exposing its entire userbase

Destry Winant destry at riskbasedsecurity.com
Fri Sep 27 10:00:06 EDT 2019


Online dating app Heyyo left a server exposed on the Internet without
a password. This leaky server, an Elasticsearch instance, exposed the
personal details belonging to nearly 72,000 users. Eve Maler of
ForgeRock weighs in.
Online dating app Heyyo's server was not password protected and and
issue with the server led to the app's entire userbase being exposed
online. The data exposed included the following, according to ZDNet:
Names, Phone numbers, Email addresses, Dates of birth, Gender, Height,
Profile pictures and other images, Facebook IDs for users who linked
their profiles, Instagram IDs for users who linked their profiles,
Longitude and latitude, Who liked a user's profile, Liked profiles,
Disliked profiles, Superliked profiles, Blocked profiles, Dating
preferences, Registration and last active date, and Smartphone
The unsecured server was discovered by security researchers at
WizCase. What is of greatest concern is that the exposed information
included user location, meaning that bad actors could leverage this
info to stalk impacted users.
Commenting on the data breach to Digital Journal, Eve Maler, vice
president of innovation & emerging technology, ForgeRock, says that
the type of serve is noteworthy: "Heyyo joins Glynk as another dating
app to suffer from a significant data leak due to an exposed
Elasticsearch database."
She also notes the significance of the information: "The leaked user
data is more than enough information for hackers to launch
spear-phishing or extortion campaigns—where bad actors leverage users’
dating life and habits as blackmail—similar to the Ashley Madison
extortion scheme. This instance shows how in addition to cyber
threats, there are real-world, physical dangers that can result from
security issues."
In terms of lessons for businesses, Maler says security is key: "Many
Elasticsearch database breaches and leaks stem from organizations
leaving their servers unprotected with no password. However, with
cybercriminals constantly crafting and innovating sophisticated
attacks, an organization’s security efforts should not stop there."
In terms of enhanced security, she recommends: "Online dating services
and all other organizations need to take the extra step to safeguard
their databases by investing in comprehensive identity and access
management tools. By deploying a modern identity and access management
(IAM) solution that provides intelligent, contextual and continuous
security and has the capability of demanding further identity
validation after detecting abnormal behavior, like multifactor
authentication (MFA), companies can ensure the safety of their data
and maintain the trust of their users.”

More information about the BreachExchange mailing list