Unsecured database leaked PII of 72,000 users of dating app Heyyo
Security researchers recently discovered an unprotected ElasticSearch cloud database owned by dating app Heyyo that exposed detailed personal information of all of the app’s 72,000 users to anyone with an Internet connection.
Not too long ago, GCHQ’s National Cyber Security Centre (NCSC) warned users of online services that they should limit the amount of personal information they share with online dating apps as such apps feature several vulnerabilities that may expose personally identifiable information of millions of users.
These vulnerabilities include poor security and lack of encryption during data transmission, lack of security in token-based authorisation processes, and vulnerabilities in several apps’ message history, particularly for Android users running outdated software.
By exploiting such vulnerabilities, hackers could destroy your anonymity by obtaining your personally identifiable information from such apps, and thereafter blackmail you into paying up to prevent your data from being shared on the Internet, NCSC warned.
NCSC’s warnings rang true in August when security researchers at Pen Test Partners discovered that a popular dating app named 3Fun that allows “local kinky, open-minded people” to meet and interact, was leaking personal data and real-time locations of as many as 1.5 million users to third parties.
The researchers found that the app leaked near real-time location of users, dates of birth, sexual preferences, private pictures, privacy settings, and chat history of users to third parties. Anyone with an Internet connection could query the app’s API to obtain location data of a user.
Heyyo stored contact details, sexual preferences & social media links of users in an unprotected database
Recently, ZDNet reported that Heyyo, an online dating app, has also been exposing detailed personal information of all its 72,000 users by storing such details in an unprotected ElasticSearch database that can be discovered using search engines.
The unsecured database was discovered by security researchers at WizCase who alerted ZDNet about its existence. The database was finally taken down after the latter approached Turkey’s Computer Emergency Response Team (CERT), having failed to obtain any response from the Istanbul-based software company behind the app.
According to researchers at WizCase, the ElasticSearch database contained names, email addresses, country, GPS locations, gender, dates of birth, dating history, profile pictures, phone numbers, occupations, sexual preferences, and links to social media pages of almost 72,000 users.
The database contained over 600MB of data which mainly belonged to users located in Turkey, Brazil, the United States, Africa, Germany, Portugal, and Spain, with a majority of such users being based in Turkey. It was installed on a Digital Ocean cloud-hosted server and its default setting required no authentication or password to gain entry.
Chase Williams, web security expert at WizCase, said that personal records stored in the unprotected database could be used by cyber criminals to commit identity theft, to use a stolen user profile to trick someone into revealing private information, to blackmail people, to target LGBT users in countries where homosexuality is a crime, and to phish users into revealing further details about themselves.
“Another unsecure Elasticsearch engine, another dating app data breach. Servers should never be left without authentication or a password. This is just basic cybersecurity hygiene but unfortunately for companies using default or misconfigured security settings, data breaches are becoming a regular occurrence and this is just the latest example,” says Robert Ramsden Board, VP EMEA at Securonix.
“The data leaked exposes users to a host of security threats, which could leave them vulnerable to scammers. Threats range from identify theft, catfishing, blackmail, sexual harassment to phishing. Users should be cautious about the information they share on dating apps and stay alert to any suspicious activity or interactions,” he adds.