A misconfigured AWS S3 bucket was recently found containing up to 845 GB worth of information obtained from at least eight popular dating apps that were designed by the same developer and had hundreds of thousands of users worldwide.
The misconfigured AWS bucket was discovered by researchers Noam Rotem and Ran Locar at vpnMentor who noted that data stored in it was highly personal and sensitive as the data included users’ sexual preferences, their intimate pictures, screenshots of private chats, and audio recordings.
All the dating apps, whose records were stored in the AWS bucket, were built for people with alternative lifestyles and particular tastes and were named 3somes, CougarD, Gay Daddy Bear, Xpal, BBW Dating, Casualx, SugarD, GHunt, and Herpes Dating.
According to vpnMentor, as all these apps shared similar branding, web design, logos across multiple app websites and listed “Cheng Du New Tech Zone” as a developer on Google app store, the firm could confirm that the apps shared a common developer.
The misconfigured AWS bucket was discovered on 24th May and public access to it was closed by developers after vpnMentor reached out to them to report the exposure. While it is not clear how long the account was left open to public access, vpnMentor found that it contained photos with faces visible, users’ names, personal details, and financial data.
“For ethical reasons, we never view or download every file stored on a breached database or AWS bucket. As a result, it’s difficult to calculate how many people were exposed in this data breach, but we estimate it was at least 100,000s – if not millions,” the firm said.
It added that while data from dating and hookup apps are always sensitive and private, the users of the apps exposed in this data breach would be particularly vulnerable to various forms of attack, bullying, and extortion.
“While the connections being made by people on ‘sugar daddy,’ group sex, hook up, and fetish dating apps are completely legal and consensual, criminal or malicious hackers could exploit them against users to devastating effect. Using the images from various apps, hackers could create effective fake profiles for catfishing schemes, to defraud and abuse unwary user,” it added.
Going by a recent test carried out by researchers at Comparitech, it is highly likely that the exposed bucket may have been accessed by malicious hackers before it was discovered by researchers at vpnMentor.
Comparitech researchers set up a honeypot Elasticsearch database and put fake user data inside of it before leaving it publicly exposed to see who would connect to it and how they would try to steal, scrape, or destroy the data.
Between 11th May and 22nd May, the researchers observed as many as 175 cyber attacks targeting the unsecured database, with the first attack taking place a mere eight hours after the database was left exposed. On 16th May, the day the database was indexed by the Shodan IoT search engine, the database suffered as many as twenty-two attacks, two of them taking place within a minute after the database was indexed.
“It’s worth noting that over three dozen attacks occurred before the database was even indexed by search engines, demonstrating how many attackers rely on their own proactive scanning tools rather than waiting on passive IoT search engines like Shodan to crawl vulnerable databases,” wrote Paul Bischoff, privacy advocate at Comparitech.com.