Skip to main content

Dating sites around the world leak hundreds of thousands of user records

(Image credit: Shutterstock)

Dating site users around the world have been warned to check their security settings after a major database breach put hundreds of thousands of accounts at risk.

The breach was caused by an Elasticsearch server that was found to have been leaking user details online without a password, meaning criminals could have gained access to a database of users who signed up for online dating and e-commerce sites.

The database, which contained details from over 70 websites, was taken offline after almost a week, meaning hundreds of thousands of users could possibly have been affected.

Data breach

The leak was reported by researchers at vpnMentor who were alerted to the breach following an anonymous tip from an unnamed ethical hacker. 

This hacker had discovered a flaw in software built by email marketing company Mailfire that was being used by all the affected sites, opening up millions of records including full names, age and date of birth, email address and IP addresses.

The database was estimated at 882.1GB in size, and contained over 320 million records originating from all over the globe pertaining to the specific sites, including email content, private messages and authentication tokens and links.

"Upon further investigation, it turned out that some of the sites exposed in the data leak were scams, set up to trick men looking for dates with women in various parts of the world," vpnMentor noted.

The data leak originated from an unsecured Elasticsearch server owned by Mailfire. This server was connected to a notification tool used by the company’s clients to send out marketing assets to website users, including notifying them of private chat messages.

vpnMentor contacted Mailfire following the leak, with the company acting immediately to secure the server, and accept full responsibility for the breach.

This isn't the first time that dating sites have been accused of leaking user data online - back in March, OKCupid was found to be leaking user information online without its knowledge, after researchers found it was possible to retrieve the last location ID of any OKCupid user, allowing anyone to possibly determine where a user was logging in to the site, potentially giving away their home or work address.

And in June, nearly 2.5 million records of niche dating websites were exposed, including explicit images, audio recordings, chat screenshots and transaction information.

  • Keep your online browsing secure with our list of the best VPN services on the market

Via ZDNet