An unsecured Elastic database seemingly owned by an entity in China has exposed 42.5 million records of dating app users, most of them American.
“The strange thing about this discovery was that there were multiple dating applications all storing data inside this database,” security researcher Jeremiah Fowler, who discovered the database, wrote in a blog post. “Upon further investigation I was able to identify dating apps available online with the same names as those in the database.”
Fowler said he was struck by the oddity “that despite all of them using the same database, they claim to be developed by separate companies or individuals that do not seem to match up with each other.”
One of the sites’ Whois registration “uses what appears to be a fake address and phone number. Several of the other sites are registered private and the only way to contact them is through the app (once it is installed on your device),” he said.
Fowler was able to quickly and easily find many of the users’ real identities. “The dating applications logged and stored the user’s IP address, age, location, and user names,” he wrote. “Like most people your online persona or user name is usually well crafted over time and serves as a unique cyber fingerprint.”
Users often use their usernames on multiple platforms and sites, making it easy to track down and identify them. “Nearly each unique username I checked appeared on multiple dating sites, forums, and other public places,” Fowler said. “The IP and geolocation stored in the database confirmed the location the user put in their other profiles using the same username or login ID.”
The security researcher had no evidence that the apps or their developers had “any nefarious intent or functions, but any developer that goes to such lengths to hide their identity or contact details raises my suspicions,” he wrote. “Call me old fashioned, but I remain skeptical of apps that are registered from a metro station in China or anywhere else.”
Noting the “buzz” around leaky databases, Nabil Hannan, managing principal, financial services, at Synopsis, called for heightened security configurations.
“In this particular case, there’s a lot of personal and private information that users trust dating sites with,” said Hannan. “Although the data that was leaked did not include anything sensitive, per se, it does have usernames (from which a person’s full name can often be inferred) along with age and location information” and “may be enough to allow attackers to cause some level of damage depending on the type of information publicly available about the people whose data have been leaked.”