A series of database misconfigurations publicly exposed the personal information and private messages of more than 100 million dating website and mobile app account holders.
Independent VPN review site WizCase has reported finding six separate dating sites or apps that each potentially compromised thousands of users due to improper data storage. According to WizCase researchers, the vast majority of the affected accounts belong to Japanese dating sites Charincharin.net and kyuun-kyuun.com, which share the same database.
Collectively, the two websites exposed data related to 102 million accounts, including email addresses, mobile device information and search preferences, WizCase said in a blog post. "Every server was easily accessible via the internet and not password protected," the report stated.
WizCase identified the other offending dating service providers as the U.S.- based CatholicSingles.com, TIKI (YESTIKI) from TIKI Interactive, and Blurry from Hyperity Corp, as well as SPYKX.com, operator of the South Korea Congdaq/Kongdak app. Depending on the dating service, exposed data includes names, home and email addresses, phone numbers, GPS data and activity logs. WizCase said it alerted all of the companies of the problem.
Dating services that fail to follow basic cyber hygiene practices can prove especially harmful to users due to the sensitive nature of the information they must sometimes share when creating out a profile or account.
“Despite hosting users’ more sensitive information, including private messages and partner preferences, dating apps continue to make headlines due to security issues," said Matt Rose, director of application security at Checkmarx. "As a general best practice, app users should stay with the most well-known and reputable apps and sites -- whether for dating or any other use case-- as they will often have a stronger track record of being stable and a more secure software backing."
"Companies that store their data in cloud environments need to have misconfigurations be the focus of the security conversation," said Casey Kraus, president of cloud security management provider Senserva, said: There is always a shared responsibility of security between the cloud provider and the company. Failure to ensure that your environment is secure will continue to put your company and your client's information as risk. It is said that 99 percent of data breaches in cloud environments happen due to customer misconfiguration, mismanagement, or mistakes.”
Colin Bastable, CEO of security awareness training company Lucy Security, speculated that ElasticSearch variety “are probably the primary sources of data leaks, because of misconfigurations when set up. For example, the front end UI is often secured with authentication, but admins forget that the default port 9200 is also visible and accessible online, meaning that unprotected ElasticSearch databases can leak data via the backdoor. Having built the database, the developers probably forgot all about patching it, focusing on the front end’s ease-of-use to drive user engagement and subscriber growth. Or perhaps the original architect is no longer employed. Regardless – they dropped the ball."
WizCase also reported finding six more unsecured servers containing dating service information, but the researchers have been unable to identify the rightful owners of these databases. "This information could’ve been collected through a process known as web scraping, but this could only explain some of the data, as parts of it do not appear to be from internet-facing web pages," the report states.
