The breach took place due to misconfigured AWS Bucket.
VpnMentor’s security research team headed by Noam Rotem and Ran Locar has discovered an unprotected database online containing sensitive data of members of at least 9 datings and hook up apps.
The exposed data comprises of sexually explicit images, private conversations, audio recordings, and other types of sensitive data.
Dating apps affected by this leak include:
Gay Daddy Bear
Researchers identified that unprotected AWS (Amazon Web Service) buckets are responsible for this massive data breach in which more than 20 million files (845 GB worth of data) containing sensitive information of hundreds of thousands of dating apps users got compromised.
All the files were stored in a single, shared AWS bucket. The database was discovered on May 24 and was secured by 27 May.
The team also identified that the source of origin for all the apps was the same, and many of them listed Cheng Du New Tech Zone as an app developer on Google Play.
Although researchers claim that personally, identifiable information wasn’t part of the leaked data, cyber criminals can identify a user from the photos and other information. Moreover, part of the leaked images is screenshots of financial transactions that can be used to launch a variety of fraud schemes.
Despite that, there is no evidence of the data being accessed by a third-party but it is enough to commit extortion or fraud or launch viral attacks against the users.
“Photos with visible faces, users’ names, personal and financial data … could all be used to unmask an individual.”
“Using the images from various apps, hackers could create effective fake profiles for catfishing schemes, to defraud and abuse unwary users,” researchers noted in their blog post.
The exposed data belonged to niche dating apps developed for people with unusual dating preferences and fetishes such as queer dating or group sex. One of the apps was built mainly for people suffering from Herpes and other types of STIs.
The team claims that this wasn’t a data hack per se but a “careless way of storing sensitive information online.”
This however is not the first time when a misconfigured AWS bucket has exposed such a trove of sensitive data online. Previously, a couple of weeks ago, popular Spanish e-Learning platform 8Belts had its AWS database containing personal data on more than 100,000 users leaked online.
In another incident, Bharat Interface for Money (BHIM), India’s emerging new e-payments platform had exposed sensitive financial data of around 7 million Indians on an AWS S3 bucket.
Last month, Brazil’s cosmetic giant Natura leaked 192 million records with payment data of its customers. The database was also hosted on an exposed AWS bucked.
The list of mishaps involving AWS goes on…