Database Contains Millions Of Dating App Records

A security researcher has discovered an unsecured online database that contains ten of millions of records, from users of a number of different dating apps.

The discovery was made by researcher Jeremiah Fowler of SecurityDiscovery.com, who said that on 25 May he “discovered a non password protected Elastic database that was clearly associated with dating apps based on the names of the folders.”

The IP address of the database is located on a US server, and according to Fowler, a majority of the users appear to be Americans based on their user IP and geolocations. However there are strong indications that the database is linked to China.

Dating data

The database contains account names, location, IP addresses, age and geolocation information, and it only took Fowler “only took a few seconds to validate” people’s real identities.

“Like most people your online persona or user name is usually well crafted over time and serves as a unique cyber fingerprint,” wrote Fowler. “Just like a good password many people use it again and again across multiple platforms and services.”

“This makes it extremely easy for someone to find and identify you with very little information,” he wrote. “Nearly each unique username I checked appeared on multiple dating sites, forums, and other public places. The IP and geolocation stored in the database confirmed the location the user put in their other profiles using the same username or login ID.”

Fowler said that Security Discovery always tries to follow a responsible disclosure process, but in this case the only contact information that could be found was fake.

He did send two notifications to email accounts that were connected to the domain registration and one of the websites. A Whois domain registration search for ownership of the database revealed a Metro train station in China.

An associated phone number just gave a message that the phone was powered off.

“I am not saying or implying that these applications or the developers behind them have any nefarious intent or functions, but any developer that goes to such lengths to hide their identity or contact details raises my suspicions,” said Fowler. “Call me old fashioned, but I remain skeptical of apps that are registered from a metro station in China or anywhere else.”

Data came from the following dating apps including Cougardating (Dating app for meeting cougars and spirited young men :according to the site); Christiansfinder (an app for christian singles to find ideal match online); Mingler (interracial dating app); Fwbs (Friends with benefits); and “TS” I can.

Leaky databases

A security expert pointed out that misconfigured or leaky databases seems to be a common security theme of late.

“Leaky databases are getting a lot of attention lately,” noted Nabil Hannan, managing principal at Synopsys. “This buzz around databases that have been misconfigured and/or that are publicly available on the internet with sensitive data highlights the need for proper security configuration. Note that this need exists for all software and its various components.”

“In this particular case, there’s a lot of personal and private information that users trust dating sites with,” said Hannan. “Although the data that was leaked did not include anything sensitive, per se, it does have usernames (from which a person’s full name can often be inferred) along with age and location information.”

“This information may be enough to allow attackers to cause some level of damage depending on the type of information publicly available about the people whose data have been leaked,” he warned.

In 2016 Adult FriendFinder, a leading dating and sex website, confirmed it was investigating reports that it has been hacked…again.

The adult website admitted in 2015 that its systems had been breached by hackers, who leaked detailed personal information on millions of users.

Do you know all about security? Try our quiz!

Tom Jowitt

Tom Jowitt is a leading British tech freelancer and long standing contributor to Silicon UK. He is also a bit of a Lord of the Rings nut...

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago