More Than 42 Million Dating App User Records Exposed by an Unprotected Database
People think that it's the job of vendors and service providers to protect their data from hackers. If we have to be especially pedantic and fastidious about the whole thing, we'd say that the wording isn't completely accurate.
"Protecting" the data would entail eliminating all possible ways of breaching it. This, as people who are interested in cybersecurity know, is simply not possible. Realistically, what the people responsible for our data should do is make the hackers' job as difficult as possible. Some organizations are relatively good at this.
Recently, for example, cybercriminals managed to break through the security of news aggregator service Flipboard, and they made off with an as-yet-unknown number of login credentials. Because most of the passwords were securely hashed, however, the crooks can't do anything with them, and just to be on the safe side, Flipboard will ask all its users to reset their passwords upon logging in. This is how responsible service providers do it.
At the other end of the scale, you have developers who dump people's information on an internet-facing server that is not protected in any way. Over the last few months, researchers have discovered more than a few servers that were exposing users' data to anyone willing to look for it, and on May 25th, SecurityDiscovery.com researcher and journalist Jeremiah Fowler found the latest one.
Five dating apps expose millions of records
Shortly after discovering the offending Elasticsearch installation, Fowler saw several hints which suggested that he is looking at the information collected by a dating app. A bit more digging around, however, revealed that the data belonged to the users of not one, but five different matchmaking services. The names are:
Curiously, the information available about the aforementioned apps suggests that they are developed and distributed by completely different entities, and yet, they seem to be storing their users' data in the same database.
It's difficult to say whether they were all developed by the same people, but what is beyond doubt is that whoever is responsible for them doesn't seem to be showing any interest in securing the leaky database. In fact, they don't seem to be interested in being contacted at all.
The Chinese connection
The database is hosted on a US-based server, and most of the people whose information is inside it are American. Yet, when Fowler looked at the Whois records for the apps' websites, he discovered that they might be coming from China. Unfortunately, this didn't bring him any closer to getting in touch with the developers and helping them secure people's data.
Some of the domains were privacy-protected, which means that there was no publicly available contact information about the owner. With others, the data was fake, and one of the apps had an address linked to the domain that turned out to be a subway station in the Chinese city of Lanzhou. After realizing that he is unlikely to get in touch with anyone who can get the exposed data down, Fowler decided to publicly share the information and warn the apps' users who probably don't suspect a thing. They do need to be alarmed.
It's time to start appreciating how important your username is
The database exposes a total of 42.5 million user records, and Jeremiah Fowler noted that none of them contains "PII". "PII" stands for Personally Identifiable Information, and over the years, experts have argued about what this term entails. It's not difficult to see why.
The Elasticsearch database Fowler found, for example, holds no real names, passwords, real addresses, or any other particularly revealing information. Inside it, you'll only find an IP address, age, location, and a username. As far as his report is concerned, there weren't even any emails in there, which might prompt some people to breathe a sigh of relief.
As Fowler noted, however, things aren't as simple as that. Many people use nicknames to hide their real identity. Nicknames, like passwords, are reused, though, and sometimes, they are used on websites that hold quite a lot of personal information. With the help of Google and using some of the usernames from the unsecured database, Fowler managed to link records to real-world identities, and because he also had the geolocation of the affected users, he had little doubt in his mind that his short research had yielded genuine results.
At least two lessons can be learned from this single data exposure. The first one is that, if you're thinking of installing an application that few people have heard of, you should probably take the time to do a bit more research beforehand, and if you feel that the developer isn't sharing too much information, you should think twice about whether you really need it. The second moral of the story is that, especially if you plan on using a service that you don't want other people to know about, you must make sure that your username, like your password, won't come back to haunt you.