Dating Apps Fail to Protect Their Clients Again: 6 Apps Leak Millions of Records

One of the things we love about the internet the most is the fact that we can find so much information on it. Curiously, one of the things we hate about the internet the most is also the fact that we can find so much information on it. Security researchers from WizCase, for example, recently discovered that if they knew where to look, users of six dating apps could find their personal details exposed in databases that weren't protected with a password and were accessible from anywhere in the world.

Five poorly secured databases leak millions of records full of personal information

The experts discovered three ElasticSearch installations, an Amazon S3 Bucket, and a MongoDB database exposed to the internet and accessible without any form of authentication. Two of the vendors are US-based, two are located in South Korea, and one operates in Japan, and they all run dating websites and applications. Here are the names of the services and the data they leaked:

• CatholicSingles.com

The S3 bucket weighed in at just 17MB and held a somewhat modest 50 thousand records. Most of the profiles appear to be banned, but the last recorded activity is recent, which goes to show that the leaked data is most likely valid. It includes things like names, email addresses, phone numbers, age, gender, occupation, billing addresses, payment methods, etc.

• SPYKX.com

SPYKX.com is a South Korean vendor that develops and runs several different services. One of them is a dating application called Condaq/Kongdak, and for some reason, the developer has decided that it would be a good idea to put some of the app's user data on an unprotected ElasticSearch server. About 123 thousand records exposed 600MB worth of personal details, including email addresses, plaintext passwords, dates of birth, and even GPS data.

• Tiki

Tiki is, allegedly, "a new kind of dating app," and according to its website, the user has control over the type of personal information potential dates get to see. This claim is especially ironic given the fact that Tiki's developer put some of the said information in a MongoDB database that was accessible with a simple browser. A little over 4 thousand records were exposed, and they included anything from user ratings and activity logs to names, phone numbers, date venues, etc.

• Blurry

Blurry is a South Korean dating application that lets users blur the screen during video calls. It's supposedly aimed at users who are too shy to interact or are not very confident about their appearance, and you can only imagine how these people will feel when they learn that some of their private conversations were exposed by a poorly configured ElasticSearch server. The 70 thousand records didn't contain any personal details, but the leaked messages were full of WhatsApp numbers, Instagram handles, and other information that could expose the victim to all sorts of attacks.

• Charin and Kyuun

Yet another misconfigured ElasticSearch database belongs to the developers of Charin and Kyuun – two Japanese apps that seem to be run by the same company. It was by far the biggest leak, with 57GB of exposed data and a little over 100 million records open to the public. Worryingly, in addition to user IDs, mobile device information, and search preferences, the database contained email addresses and passwords in plain text.

It was already a pretty substantial leak, but WizCase's investigation didn't stop there.

The experts couldn’t identify the owners of a further six unprotected databases

The researchers discovered six more unsecured databases full of data. Once again, the users of dating services were affected, but this time, it appeared that the developers weren't responsible for the leak.

The experts did manage to link the data to several apps – Zhenai, Say Love, Netease, Love Chat, and Companion. They said, however, that the databases didn't contain any personally identifiable information and were most likely the result of web scraping. They also that cybercriminals can use the information in them to identify other publicly available profiles and potentially get access to more sensitive data.

What do users need to look out for?

It's never fun to see dating apps leaking user data. Although the services we're talking about today aren't as niche as the ones we discussed a few weeks ago, the affected individuals might not necessarily be keen on the whole world knowing that they are using them.

Unfortunately, since so many apps are involved, we have no way of knowing how many people are affected by the leaks. What we do know, however, is that if you've used any of the services mentioned in this article, you need to be quite a lot more careful than you usually are. The data in some of the databases can provide cybercriminals with everything they need to impersonate you and steal your online identity. What's more, they can use it to find more information about you and mount additional attacks.

Blackmailing attempts based on the fact that you're using a dating app are not out of the question in some cases, and the exposed plaintext passwords will almost certainly be used in credential stuffing attacks.