More Than 20 Million Files Have Been Leaked by 9 Different Dating Apps

Dating Apps Data Leak

To prove how dangerous unsecured databases could be, a group of researchers recently filled an Elasticsearch installation with dummy data, deliberately misconfigured it, and waited to see how long it would take for the hackers to find it and start scraping the information. The first attack was witnessed within eight hours of the database coming online, and over the next ten days, the honeypot was accessed on average eighteen times per day. These results should be particularly distressing for the users of a few niche dating apps who, as you might have guessed already, had some of their data stored in a poorly secured database.

At least nine dating apps exposed explicit user data in an unsecured S3 bucket

It's the latest in a very long line of discoveries made by VPNMentor's team of researchers led by Noam Rotem and Ran Locar. As a part of their massive web mapping project, they located an unsecured Amazon Web Services S3 bucket on May 24. In total, the database contained 20.4 million files weighing in at 845GB.

One of the interesting things about the database was that the personally identifiable information it exposed was limited. There were quite a lot of media files, however, and we're pretty sure that their owners would have liked them to remain private. There were many sexually explicit photos with faces visible on them, screenshots of chat conversations, voice messages, as well as details of financial transactions.

To protect the exposed users' privacy, the researchers decided not to poke through the data thoroughly, which means that it's impossible to correctly estimate the exact number of affected individuals. Rotem and Locar did say in their report, however, that hundreds of thousands and possibly millions of users are involved.

The data was leaked by multiple dating applications. The researchers' investigation led them to a company called "Cheng Du New Tech Zone," which was listed in the contacts section of multiple hookup applications on Google Play. The similarities in the apps' website design confirmed that they are most likely developed by the same group of people. Here's the list:

  • GHunt
  • Herpes Dating
  • SugarD
  • Casualx
  • BBW Dating
  • Xpal
  • Gay Daddy Bear
  • Cougary
  • 3somes

The experts are certain that these nine applications were involved in the breach, but they reckon that users of other apps by the same developer might also be affected.

The consequences of the leak could be horrific

The good news is, the data is no longer online. Two days after discovering the leaky bucket, the researchers used the contact form of one of the affected apps, and to their surprise, they received a reply almost immediately. VPNMentor's team responded to the request for more information by sending the URL of one of the databases. Despite the fact that the developer decided not to communicate further with the researchers, all the data was pulled offline within 24 hours. As of the time of writing, some of the apps appear to have been removed from Google Play as well.

This is all well and good, but needless to say, the developer shouldn't have made the mistake in the first place. As you can see, we're not talking about your typical Tinder competitors. The apps are aimed at people with specific sexual preferences and fetishes that could be stigmatized. Those who use them probably don't want to announce it publicly, and they certainly wouldn't want to expose the pictures and conversations they share with one another. If the data falls into the wrong hands, criminals could leak the images, dox the affected individuals, or extort them. Jobs could be lost, families could be broken, and reputations could be ruined.

Maintaining dating apps always carries a higher degree of responsibility. People trust these products with their most intimate secrets sometimes, and we can safely say that in the case of Cheng Du New Tech Zone's dating applications, their trust was misplaced. The only thing they can do now is hope that, despite the findings in the research paper we talked about in the first paragraph, no one other than VPNMentor's experts saw the explicit data.

By Duran
June 16, 2020
News
English
June 16, 2020
News

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

News

Researchers Found Fleeceware in 32 iOS Apps Installed by 3.5 Million Users

Information security terminology is an absolute nightmare. As things stand, there are far too many terms floating around, and the definitions are often quite fuzzy. Despite this, the infosec lingo expands further,... Read more

April 10, 2020
News

More Than 42 Million Dating App User Records Exposed by an Unprotected Database

People think that it's the job of vendors and service providers to protect their data from hackers. If we have to be especially pedantic and fastidious about the whole thing, we'd say that the wording isn't completely... Read more

June 3, 2019
News

LiveJournal Leaked 26 Million Records in 2014, and They Are Now Sold on the Dark Web

Even security experts can be wrong sometimes. As some of you may know, for the last few years, they've been arguing that there's no point in changing your password unless you're sure that it has been stolen. The... Read more

May 27, 2020
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.