Popular Marketing Tool exposes data of users of dating sites

Personal details of hundreds of users of dating sites were exposed online earlier this month.

An Elasticsearch server containing personal details of hundreds of thousands of dating site users were exposed online without authentication.

The unsecured database was discovered by security researchers from vpnMentor at the end of August.

“vpnMentor’s research team recently received a report from an anonymous ethical hacker about a massive data leak exposing users of over 70 adult dating and e-commerce websites from around the world.” reads the post published by vpnMentor.

“The various websites were all using the same marketing software built by email marketing company Mailfire — who was responsible for the leak.”

The experts discovered that the database was containing copies of push notifications that tens of online sites were sending to their users via Mailfire’s push notification service.

The archive contains 882.1 GB of log files that were being updated in real-time while the notifications were sent out to the users of more than 70 dating sites. The database also contained data from some e-commerce websites, the leak affected individuals from over 100 countries.

At the beginning of the investigation, the server’s database was containing over 370 million records for 66 million individual notifications sent in just 96 hours.

Data exposed in the notifications includes:

• Full names
• Age and date of birth
• Gender
• Email addresses
• Locations of senders
• IP addresses
• Profile pictures uploaded by users
• Profile bio descriptions

The leak also exposed messages between users of the impacted dating sites that could include embarrassing relationships or sexual interests.

Some of the notifications included in the archive contained links to the user’s profile that also contained authentication keys. An attacker could use these URLs to access a user’s profile on the dating site without the knowledge of the password.

Leaked data could expose users to several malicious activities, including scams, identity theft, blackmail and extortion, and of course attack takeover.

Below the timeline of the discovery:

• Data leak discovered: 31st August 2020
• Vendors contacted: 3rd September 2020
• Response received from Mailfire: 3rd September 2020
• Server secured: 3rd September 2020
• Client companies informed: 4th September 2020

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, dating sites)

[adrotate banner=”5″]

[adrotate banner=”13″]