A dating site leaked over a million accounts because of shoddy security
Personal data from more than 1.5 million users of a dating site network that encourages its members to "have a fling" and "have an affair" has been found online.
The database, run by C&Z Tech Limited, a New Zealand-based dating company that runs a number of websites and mobile apps, like HaveAFling.mobi, HaveAnAffair.mobi, and HookUpDating.mobi, was found exposed on the open internet and without a password.
That data includes usernames and email addresses, passwords (stored in plain text), gender, dates of birth, profile photos, the country of residence. And other personal information like body type, height and weight (if a user chooses to enter it), desires, interests, race, turn-ons, the type of person a user is seeking to interact with, and whether the user smokes and drinks.
Many of the records also included short bios.
"I don't get out much," said one record. "In a relationship but need someone extra," said another. A third wastes no time: "Just looking to f**k." Many of the records we saw include WhatsApp or Snapchat usernames -- at least two we found had published phone numbers.
The company was quick to secure the data after it was alerted to the leak by the MacKeeper Security Research Center, but how it reacted was nothing short of dishonest and contemptible.
"While we acknowledge the data breach, but only a small number of users were affected," said Anton, an employee at the dating site, who did not provide his last name in his email.
"The data leak was from one of our test databases, the majority of data were dummy data and were randomly generated, and the vulnerability was immediately remediated," he added.
He said that passwords have been reset for the "small number" affected, and said they will be notified.
However, based on our analysis of the sample database that ZDNet obtained to verify its authenticity, we have no reason to believe that this is test or dummy data. A painstaking account-by-account analysis of a random selection of more than 300 records suggested that this was live user data.
We began reaching out to users. Many did not respond but a few did -- whose names we won't publish. And they were not happy.
In total, five people confirmed that the data we provided them was associated with their accounts, but not all could recall exactly when they signed up for the service. (One said that they signed up through an iPhone app back in May.)
"I remember signing up for something like that thinking it was similar to Tinder, but quickly realized it's not really the same. I thought I deactivated my account. It's very alarming to me that they stored that stuff in an unsecured database without a password," said one user.
The user emailed later to say that he was able to log in to his deactivated account.
He said it was "a bit disturbing" that the company held onto his data -- and that "you or anyone else were able to get my info if my account was already deactivated."
Three others confirmed their emails and passwords, but said nothing more.
Another simply forwarded a "security notice" from the company, which requires users to change their passwords, but did not say for what reason.
"We are upgrading our system for security reasons, therefore you are required to change your password asap," said the email. The email said that users should log in to the site first and change their passwords, unlike issuing a mandatory site-wide password reset like other sites and services will do if their service is breached (and even in cases where other sites are hit). If the database was compromised by a malicious actor, it would require no effort on their part to take over their account by simply logging in as that user.
When asked about these discrepancies, Anton did not respond to a follow-up email.
Not everyone on the site was there to look for a fling or an affair, but this incident hardly inspires confidence in the online dating scene -- particularly given the damaging Ashley Madison affair (no pun intended) -- which embarrassed thousands and broke up families. Even if the data was left online for a few hours, a leak is a leak. If security researchers can find it, there's no telling who else can.
It should go without saying: change your passwords. And, don't use low-grade dating sites that don't care about your privacy.