Blackmail Fears as Data Leak Exposes Dating App Users
Another unprotected Elasticsearch database has been found online, leaking the personal data of tens of thousands of dating app users.
Researcher Avishai Efrat of VPN comparison firm WizCase was able to access a database of around 77,000 users of Heyyo, a Turkey-based online dating service.
The 600MB of data contains a trove of sensitive personal information which could be used in follow-on phishing or identity fraud attacks, including: name, email address, country, date of birth, dating history, phone number, occupation, and even a link to social media profiles.
Given the sensitive nature of the dating app, there are also exposed details which could be used to blackmail individuals, such as sexual orientation and preferences. If hackers found users of the app who are already married or in long-term relationships, that could also provide an opportunity to extort money from them.
Most of the affected users are from Turkey, where there’s a less forgiving climate for the LGBT community than in many western countries.
There were also a significant number of Heyyo users from the US and Brazil exposed in the leak, according to WizCase.
“Heyyo used an Elasticsearch engine, which is installed on a Digital Ocean cloud hosted server. The Elasticsearch default setting requires no authentication or password to gain entry,” explained the firm’s web security expert, Chase Williams.
“Servers should never be exposed like this to the open world. Password authentication, IP whitelisting, and additional monitoring would have greatly reduced the chances of such a data breach. Unfortunately, companies using default or misconfigured security settings for their databases is an all too common scenario these days.”
Automated cloud security tools can be used to detect, alert and remediate misconfigurations like the one affecting Heyyo, according to DivvyCloud CTO, Chris DeRamus.
“Database misconfigurations have proven time and time again to be the Achilles’ heel of many organizations that have suffered data breaches this year, yet there are very simple and highly effective solutions available to prevent this,” he argued.