Popular Marketing Tool exposes data of users of dating sites

Personal details of hundreds of users of dating sites were exposed online earlier this month.

An Elasticsearch server containing personal details of hundreds of thousands of dating site users were exposed online without authentication.

The unsecured database was discovered by security researchers from vpnMentor at the end of August.

“vpnMentor’s research team recently received a report from an anonymous ethical hacker about a massive data leak exposing users of over 70 adult dating and e-commerce websites from around the world.” reads the post published by vpnMentor.

“The various websites were all using the same marketing software built by email marketing company Mailfire — who was responsible for the leak.”

The experts discovered that the database was containing copies of push notifications that tens of online sites were sending to their users via Mailfire’s push notification service.

The archive contains 882.1 GB of log files that were being updated in real-time while the notifications were sent out to the users of more than 70 dating sites. The database also contained data from some e-commerce websites, the leak affected individuals from over 100 countries.

At the beginning of the investigation, the server’s database was containing over 370 million records for 66 million individual notifications sent in just 96 hours.

Data exposed in the notifications includes:

Full names
Age and date of birth
Gender
Email addresses
Locations of senders
IP addresses
Profile pictures uploaded by users
Profile bio descriptions

The leak also exposed messages between users of the impacted dating sites that could include embarrassing relationships or sexual interests.

Some of the notifications included in the archive contained links to the user’s profile that also contained authentication keys. An attacker could use these URLs to access a user’s profile on the dating site without the knowledge of the password.

Leaked data could expose users to several malicious activities, including scams, identity theft, blackmail and extortion, and of course attack takeover.

Below the timeline of the discovery:

Data leak discovered: 31st August 2020
Vendors contacted: 3rd September 2020
Response received from Mailfire: 3rd September 2020
Server secured: 3rd September 2020
Client companies informed: 4th September 2020

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, dating sites)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.