Research conducted by WizCase has revealed how servers associated with a number of dating sites and apps have been leaking the personal data of millions of users to third parties due to lax security protocols.
In July alone, the security firm found servers for 5 dating sites and apps around the world- namely CatholicSingles[.]com, Spyxx[.]com, Yestiki[.]com, Blurry dating app, as well as Charincharin.net and kyuun-kyuun.com that exposed the personal data of millions of users worldwide.
Personal details of users of dating sites and apps that were exposed included real names, billing addresses, email addresses, phone numbers, private messages, and other details. All of these details exposed users to blackmail attempts, identity theft, phishing scams, and stalking by cyber criminals and fraudsters.
The Amazon bucket associated with CatholicSingles[.]com leaked real names, email addresses, billing addresses, phone numbers, age, gender, occupation, and education details of thousands of U.S. citizens. The bucket exposed a total of 50,000 records that also included personal details like hair and eye colour, payment methods, and activity levels.
WizCase also found an ElasticSearch server associated with Spyxx[.]com that exposed 123,000 records that included email, cleartext passwords, phone numbers, dates of birth, gender, and education. Spyxx[.]com is the creator of Congdaq/Kongdak dating app which is used by South Korean netizens.
Blurry, another Korean dating app developed by hyperitycorp.com, was found leaking 70,000 data records that included private messages sent between users as well as personal information like Instagram handles and phone numbers
During their research, the researchers also stumbled upon a 352MB MongoDB server belonging to Yestiki[.]com that exposed 4,300 records including phone numbers, names, address and GPS location data of date venues, user ratings, activity logs, Foursquare secret key IDs, and more.
They also found a misconfigured ElasticServer that contained 102,000,000 records from two Japanese dating apps- Charin and Kyuun. The server leaked user IDs, mobile device information, email addresses and passwords, both hashed and cleartext.
The WizCase security team also found an additional 6 unsecured servers with information from different dating apps and sites but was not able to identify the owners of the servers. The servers stored information like names, city, gender, birthplace, age, education, income details, marital status, details of car and home and height. All this information was obtained from dating sites and apps like Zhenai, Say Love, Netease, Love Chat, and Companion.
Commenting on the discovery of a number of unsecured servers associated with dating sites and apps, Anurag Kahol, CTO of Bitglass, told TEISS that it does not take much effort for outsiders to find unsecured databases and access sensitive information. In fact, there are now tools designed to detect abusable misconfigurations within IT assets like ElasticSearch databases.
“Because of these tools (and the continued carelessness of companies when it comes to cybersecurity), abusing misconfigurations has grown in popularity as an attack vector across all industries. Such vulnerabilities can pose major threats to data security, data subject wellbeing, regulatory compliance, and brand reputation.
“Even companies with limited IT resources must take full responsibility for securing user data – there is no excuse for negligent security practices such as leaving databases exposed. As such, they must turn to flexible, cost-effective solutions that can prevent data leakage.
“For example, cloud access security brokers (CASBs) that boast features like cloud security posture management (CSPM), data loss prevention (DLP), user and entity behaviour analytics (UEBA), and encryption of data at rest. It is only with these types of capabilities that an enterprise can be certain that its data is truly safe,” he added.