The personal details of 3,688,060 users registered on the MobiFriends dating app have been posted online earlier this year and are now available for download.
The data was obtained in a security breach that took place in January 2019, according to a hacker who initially put the data up for sale on a hacking forum.
In the meantime, the MobiFriends data leaked last month in the public domain. The data is currently being broadly shared on numerous online forums, in some cases, as a free download.
While the data does not contain any private messages, images, or sexual-related content, the data does include other types of sensitive details, such as email addresses, mobile numbers, dates of birth, gender information, usernames, and app/website activity.
Furthermore, passwords are included, as well. Making matters worse, the passwords have been secured with MD5, a vary weak hashing function that can be easily cracked to obtain the password's initial cleartext version.
In a phone interview yesterday, Risk Based Security (RBS), the US cyber-security company that first spotted the data online last month, told ZDNet that they verified the validity of the data against the official MobiFriends website.
"Moreover, the data leak contains professional email addresses related to well-known entities including: American International Group (AIG), Experian, Walmart, Virgin Media, and a number of other F1000 companies," RBS said.
These users are now vulnerable to spear-phishing attacks or extortion attempts.
Furthermore, the username, email, and password combos obtained from this breach can also be used for brute-force attacks to target accounts on other websites where MobiFriends users might have reused credentials.
Details about how the MobiFriends hack and how the app's user data was obtained are currently unknown. It is unclear if the data was obtained after the hacker exploited a vulnerability in a server or API, or if MobiFriends left a database exposed online without a password.
MobiFriends, a Barcelona-based dating company founded in 2005, has remained silent on the incident and has not returned requests for comment from both ZDNet and RBS.
MobiFriends users are advised to change passwords on every account where they use the same login details as the MobiFriends app.