More Than 20 Million Files Have Been Leaked by 9 Different Dating Apps

Dating Apps Data Leak

To prove how dangerous unsecured databases could be, a group of researchers recently filled an Elasticsearch installation with dummy data, deliberately misconfigured it, and waited to see how long it would take for the hackers to find it and start scraping the information. The first attack was witnessed within eight hours of the database coming online, and over the next ten days, the honeypot was accessed on average eighteen times per day. These results should be particularly distressing for the users of a few niche dating apps who, as you might have guessed already, had some of their data stored in a poorly secured database.

At least nine dating apps exposed explicit user data in an unsecured S3 bucket

It's the latest in a very long line of discoveries made by VPNMentor's team of researchers led by Noam Rotem and Ran Locar. As a part of their massive web mapping project, they located an unsecured Amazon Web Services S3 bucket on May 24. In total, the database contained 20.4 million files weighing in at 845GB.

One of the interesting things about the database was that the personally identifiable information it exposed was limited. There were quite a lot of media files, however, and we're pretty sure that their owners would have liked them to remain private. There were many sexually explicit photos with faces visible on them, screenshots of chat conversations, voice messages, as well as details of financial transactions.

To protect the exposed users' privacy, the researchers decided not to poke through the data thoroughly, which means that it's impossible to correctly estimate the exact number of affected individuals. Rotem and Locar did say in their report, however, that hundreds of thousands and possibly millions of users are involved.

The data was leaked by multiple dating applications. The researchers' investigation led them to a company called "Cheng Du New Tech Zone," which was listed in the contacts section of multiple hookup applications on Google Play. The similarities in the apps' website design confirmed that they are most likely developed by the same group of people. Here's the list:

  • GHunt
  • Herpes Dating
  • SugarD
  • Casualx
  • BBW Dating
  • Xpal
  • Gay Daddy Bear
  • Cougary
  • 3somes

The experts are certain that these nine applications were involved in the breach, but they reckon that users of other apps by the same developer might also be affected.

The consequences of the leak could be horrific

The good news is, the data is no longer online. Two days after discovering the leaky bucket, the researchers used the contact form of one of the affected apps, and to their surprise, they received a reply almost immediately. VPNMentor's team responded to the request for more information by sending the URL of one of the databases. Despite the fact that the developer decided not to communicate further with the researchers, all the data was pulled offline within 24 hours. As of the time of writing, some of the apps appear to have been removed from Google Play as well.

This is all well and good, but needless to say, the developer shouldn't have made the mistake in the first place. As you can see, we're not talking about your typical Tinder competitors. The apps are aimed at people with specific sexual preferences and fetishes that could be stigmatized. Those who use them probably don't want to announce it publicly, and they certainly wouldn't want to expose the pictures and conversations they share with one another. If the data falls into the wrong hands, criminals could leak the images, dox the affected individuals, or extort them. Jobs could be lost, families could be broken, and reputations could be ruined.

Maintaining dating apps always carries a higher degree of responsibility. People trust these products with their most intimate secrets sometimes, and we can safely say that in the case of Cheng Du New Tech Zone's dating applications, their trust was misplaced. The only thing they can do now is hope that, despite the findings in the research paper we talked about in the first paragraph, no one other than VPNMentor's experts saw the explicit data.

June 16, 2020

Leave a Reply