Coffee Meets Bagel dating app confirms data breach

Pierluigi Paganini February 15, 2019

The week closes with the news of another embarrassing data breach, the Coffee Meets Bagel confirmed a hack on Valentine’s Day.

The dating app Coffee Meets Bagel confirmed that hackers breached its systems on Valentine’s Day and may have obtained access to users’ account data.

The company notified the incident to account holders, the intrusion was discovered after an archive containing user data was offered for sale on the dark web for roughly $20,000 worth of Bitcoin,

Early this week, the Register revealed in exclusive that some 617 million online account details stolen from 16 hacked websites are available for sale on the dark web. Coffee Meets Bagel learned of the incident on Feb. 11, 2019.

The advertising for the sale of the huge trove of data was published in the popular Dream Market black marketplace, data are available for less than $20,000 worth of Bitcoin.

Data was collected from data breaches of popular websites including:

  • Dubsmash (162 million);
  • MyFitnessPal (151 million);
  • MyHeritage (92 million);
  • ShareThis (41 million);
  • HauteLook (28 million);
  • Animoto (25 million);
  • EyeEm (22 million);
  • 8fit (20 million);
  • Whitepages (18 million);
  • Fotolog (16 million);
  • 500px (15 million);
  • Armor Games (11 million);
  • BookMate (8 million);
  • CoffeeMeetsBagel (6 million);
  • Artsy (1 million);
  • DataCamp (700,000).

While some of the above websites are known to have been hacked (i.e. MyHeritage, MyFitnessPal) for some of them, including Coffee Meets Bagel, it is the first time that the security community was informed of their breaches.

Journalists at The Register have analyzed account records and confirmed they appear to be legit. Spokespersons for MyHeritage and 500px confirmed the authenticity of the data.

The Register report alleges that data belonging to 6.17 million Coffee Meets Bagel accounts (673 MB of data) were offered for sale. Data appears to be related to late 2017 and mid-2018.

“As always, we recommend you take extra caution against any unsolicited communications that ask you for your personal data or refer you to a web page asking for personal data,” reads the email sent to the users. “We also recommend avoiding clicking on links or downloading attachments from suspicious emails.” reads an email sent by the company to the users.

Stolen records include name, email address, age, registration date, and gender, but data breach notification issued by Coffee Meets Bagel only reports that names and email addresses prior to May 2018 were exposed.

According to the company, no financial data were exposed because the company doesn’t store it.

Coffee Meets Bagel hired a forensic firm to investigate the incident and assess its systems, at the time it is not clear how hackers have breached the company, it also started the audit of vendor and external systems.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Coffee Meets Bagel , hacking)

[adrotate banner=”5″] [adrotate banner=”13″]



you might also like

leave a comment