Unprotected dating database exposes data of 2.3 million users

Researchers at VPNmentor have discovered an unprotected database exposing over 2.3 million records, the majority of which belong to users of the 419 Dating - Chat & Flirt app.

According to investigator Jeremiah Fowler, the non-password-protected database contained over 600 compressed server logs of user records including names, account numbers, email addresses, passwords and other sensitive information.

An analysis of a single server log contained:

• Email addresses including 236,681 Gmail addresses, 15,703 Yahoo Mail accounts, 3,872 iCloud addresses and others
• 959,571 media images including profile pictures and even sexually explicit images
• Over 500 profiles containing the word “escort” with associated phone numbers, email addresses and social media accounts
• Exposed Software Development Kit (SDK) files including packages or collections of software tools, libraries, documentation, and developer resources
• User profiles exposed names, email, geolocation and even health information (the existence of an STD)
• Other sensitive information including user IDs and passwords in plain text

The researcher said he noticed several accounts suggesting they belonged to users under 18, a clear violation of the platform’s terms and service that could lead to legal ramifications should the claims be verified.

What are the potential risks for users?

Leaky dating applications are a goldmine for cybercriminals and other digital miscreants and, given the sensitive nature of the exposed database, users may face significant privacy and security risks, including blackmail, phishing and other social engineering attacks, identity theft and fraud.

“Dating apps often require users to provide sensitive information, such as sexual preferences or health conditions,” Fowler explained. “This type of information could be used to discriminate against individuals or be used for blackmail purposes.”

The breach “could potentially put users at risk of targeted phishing attempts and scam attacks,” he said. “When combined with detailed user data, cybercriminals can launch highly targeted fraudulent messages or phishing emails that may put the app users at risk of financial losses or identity theft.”

Fowler said he also sent a disclosure notice to the app developer that quickly secured the database.

“The app used to be available on the Google Play Store but was removed shortly after my notification,” the report reads. “However, the app is still available on many other websites.”

Worried that unreported data leaks or breaches can impact your identity and digital security?

Take a look at Bitdefender Digital Identity Protection to instantly find out if your data has been leaked in a breach, what type of information was compromised, what risks you face, and whether your information is for sale on the Dark Web.