An Elasticsearch server containing personal details of hundreds of thousands of dating site users were exposed online without authentication.
The unsecured database was discovered by security researchers from vpnMentor at the end of August.
“vpnMentor’s research team recently received a report from an anonymous ethical hacker about a massive data leak exposing users of over 70 adult dating and e-commerce websites from around the world.” reads the post published by vpnMentor.
“The various websites were all using the same marketing software built by email marketing company Mailfire — who was responsible for the leak.”
The experts discovered that the database was containing copies of push notifications that tens of online sites were sending to their users via Mailfire’s push notification service.
The archive contains 882.1 GB of log files that were being updated in real-time while the notifications were sent out to the users of more than 70 dating sites. The database also contained data from some e-commerce websites, the leak affected individuals from over 100 countries.
At the beginning of the investigation, the server’s database was containing over 370 million records for 66 million individual notifications sent in just 96 hours.
Data exposed in the notifications includes:
The leak also exposed messages between users of the impacted dating sites that could include embarrassing relationships or sexual interests.
Some of the notifications included in the archive contained links to the user’s profile that also contained authentication keys. An attacker could use these URLs to access a user’s profile on the dating site without the knowledge of the password.
Leaked data could expose users to several malicious activities, including scams, identity theft, blackmail and extortion, and of course attack takeover.
Below the timeline of the discovery:
(SecurityAffairs – hacking, dating sites)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.