[BreachExchange] Popular Marketing Tool exposes data of users of dating sites

Destry Winant destry at riskbasedsecurity.com
Tue Sep 15 10:24:26 EDT 2020 

https://securityaffairs.co/wordpress/108239/data-breach/dating-site-data-leak.html

Personal details of hundreds of users of dating sites were exposed
online earlier this month.

An Elasticsearch server containing personal details of hundreds of
thousands of dating site users were exposed online without
authentication.

The unsecured database was discovered by security researchers from
vpnMentor at the end of August.

“vpnMentor’s research team recently received a report from an
anonymous ethical hacker about a massive data leak exposing users of
over 70 adult dating and e-commerce websites from around the world.”
reads the post published by vpnMentor.

“The various websites were all using the same marketing software built
by email marketing company Mailfire — who was responsible for the
leak.”

The experts discovered that the database was containing copies of push
notifications that tens of online sites were sending to their users
via Mailfire’s push notification service.

The archive contains 882.1 GB of log files that were being updated in
real-time while the notifications were sent out to the users of more
than 70 dating sites. The database also contained data from some
e-commerce websites, the leak affected individuals from over 100
countries.

At the beginning of the investigation, the server’s database was
containing over 370 million records for 66 million individual
notifications sent in just 96 hours.

Data exposed in the notifications includes:

- Full names
- Age and date of birth
- Gender
- Email addresses
- Locations of senders
- IP addresses
- Profile pictures uploaded by users
- Profile bio descriptions

The leak also exposed messages between users of the impacted dating
sites that could include embarrassing relationships or sexual
interests.

Some of the notifications included in the archive contained links to
the user’s profile that also contained authentication keys. An
attacker could use these URLs to access a user’s profile on the dating
site without the knowledge of the password.

Leaked data could expose users to several malicious activities,
including scams, identity theft, blackmail and extortion, and of
course attack takeover.

Below the timeline of the discovery:

Data leak discovered: 31st August 2020
Vendors contacted: 3rd September 2020
Response received from Mailfire: 3rd September 2020
Server secured: 3rd September 2020
Client companies informed: 4th September 2020

More information about the BreachExchange mailing list