All 5 apps were exposing user data due to database misconfiguration.
The IT researchers at WizCase recently discovered data leaks and privacy breaches on 5 different dating apps in the US and East Asia.
These breaches showcased compromised user data and sensitive information such as names, billing addresses, phone numbers, profiles, and even private/direct messages.
Further information proved that the profiles leaked were in millions and that Elasticsearch servers, MongoDB databases, and AWS buckets were these databases were hosted got exposed to public access with no password protection or security authentication.
Applications and sites involved in the data breach
According to WizCase’s blog post, in the US, CatholicSingles leaked sensitive user information including their names, email addresses, phone numbers, age, occupation, education, and billing address. Data ensuing users’ physical characteristics like hair, eye color, and internet activity have also been breached.
What is more alarming is that users’ payment methods were easily accessible as well, putting them at risk. This dating site was exclusively made for singles looking to find faith-based partners.
Another dating application based in the United States, YESTIKI.com, appears as TIKI interactive on the app store leaked 4300 user records which culminate to 352MB via MongoDB server. The data breach included users’ real names, phone numbers, GPS location, activity logs, and much more.
A South Korean app called Blurry exposed 70,000 records via the Elasticsearch server. The app was installed by more than 50,000 users and was available on the iTunes app store.
However, the breach ensued private messages exchanged using the platform. Some of the messages contained confidential information such as Instagram handles and phone numbers.
Another South Korean application called Congdaq/Kongdaq created by SPYKX.com exposed 123,000 (600MB) user records via the Elasticsearch server. The data leak ensued users’ private yet sensitive information including cleartext passwords, gender, date of birth, and GPS location.
5- Charin and Kyuun
Additionally, two dating applications in Japan called Charin and Kyuun, although it is suspected that they belong to the same company, exposed 102,000,000 (57GB) customer records. Both applications have similar designs and the breach ensues the same unprotected Elasticsearch server.
The data exposed, includes users’ email addresses, cleartext passwords, IDs, mobile device information, and their personal preferences.
Further investigations pursued by WizCase revealed six additional unsecured servers that exposed dating app users’ information. However, they were unable to locate the origin. The company believes that the data exposed and leaks could have been through a process called ‘web scrapping.’
Web Scrapping is a process in which the information provided by users is collected and stored. But this isn’t limited to websites the same analogy applies to technologies and protocols as well.
Should you be worried?
Data breach be it minor, can easily turn into an unwanted menace. User information exposed such as their preferences, location, and passwords can become easy targets for perpetrators. Leaked data in the wrong hands can posit huge risks such as identity theft, catfishing and harassment by scammers and in worst cases lead to blackmail, stalking, and email phishing.
How to keep your data secure?
The best way to secure your data is to be vigilant and mindful about your data when you sign up on any website including dating applications. Also, do not use the same password for every account or social media handles.
Make sure to select passwords that are difficult or complex enough to decipher. Besides this, the information you give out via these applications should be minimum. Be wary of giving your home address, phone numbers, or even your pictures.