Coffee Meets Bagel daters credentials among 617M records for sale on Dream Market cyber-souk

Those looking for love on Coffee Meets Bagel before May 2018 may have gotten more exposure than they were bargaining for – the online dating site confirmed on Valentine’s Day that it had been breached and that daters’ personal information may have been “acquired by an unauthorized party.”

“Receiving an email from a dating app informing you that your personal details have been hacked – it’s not the quite the Valentine’s Day surprise that anyone was hoping for,” said Jo O'Reilly, data privacy expert at “One thing digital daters shouldn’t have to worry about is the security of their data. This time Coffee Meets Bagel is adamant that it is only names and email addresses that have been stolen, but it could have been much worse.”

Coffee Meets Bagel’s email to customers “indicates that user email addresses and full names, which are generally not considered to be particularly sensitive information, were breached,” but while breaches of full names aren’t usually harmful, “users can be sensitive about their presence on dating apps,” said Jessica Ortega, website security analyst at SiteLock.

The data, which Coffee Meets Bagel said is part of a larger credential sell-off affecting 617 million accounts, is reportedly for sale on the dark web’s Dream Market cyber-souk. “It’s currently offline so we’ve been unable to confirm,” said Lastline Director of Threat Intelligence Andy Norton. “Essentially, these cybercriminals are trying to sell a list. Lists of personal information are one end of a malicious funnel, and the data is often bought by spammers and operators of credential stuffing tools.”

Most of the credentials came from data breaches occurring during 2018. The companies affected those breaches, such as Dubsmash, “may face fines up to four percent of annual global turnover or €20 million under GDPR for compromising the information of EU citizens, said Jonathan Bensen, interim CISO, Balbix. “What is concerning is that several breached sites failed to disclose these attacks, demonstrating that the companies either were unaware or decided to not reveal the incidents.”

Leaked credentials carry security implications beyond just the consumers to whom the information belongs. They “leave people vulnerable to account hijacking across all services where they recycle their usernames and passwords,” said Anurag Kahol, CTO and founder of Bitglass. “Unfortunately, this includes the corporate accounts they use for work purposes, meaning that their employers are also put at risk by their careless password habits.”

Noting that the responsibility for securing consumer information “belongs to the companies entrusted with it, DivvyCloud CTO ChrisDeRamus said, “organizations must balance their use of modern technologies (i.e. public cloud, containers, hybrid infrastructure, etc.) that are essential for maintaining a competitive market stance with the need for proper security controls.”

"Account records are not going away on the dark web. If anything, more credentials will be compromised and listed to be bought and sold by spammers to use in credential stuffing attacks. “While there are 16 companies involved in this breach of 620 million records specifically, every company not directly involved needs to be aware of the risks because people are consistently reusing passwords and usernames across multiple sites,” Arkose Labs CEO Kevin Gosschalk, who stressed that account records will continue to proliferate, be compromised and sold on the dark web.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.