A group of niche dating websites has compromised the data of hundreds of thousands of users, according to security researchers.
Nearly 2.5 million records were exposed in all, including explicit images, audio recordings, chat screenshots and transaction information.
The data reportedly relates to users of nine dating sites, each of which caters to specific sexual proclivities: Cougary, Gay Daddy Bear, Xpal, BBW Dating, Casualx, SugarD, 3somes, Herpes Dating and GHunt.
- Forget sextortion scams, we're more worried about deepfake ransomware
- Adult streaming site leaks info on millions of users
- Here's why you shouldn't watch 'inappropriate content' on work devices
The layout of each website is said to be similar, and a portion of those with accompanying Android apps list Cheng Du New Tech Zone as developer.
Dating website breach
The incident was discovered by researchers Noam Rotem and Ran Locar of vpnMentor, who say the data was exposed in a misconfigured Amazon S3 bucket - a type of cloud storage resource used by businesses to store large amounts of information.
While the exposed data did not include extensive personally identifiable information (PII) - such as names, phone numbers, addresses and login credentials - images could still be used by a committed hacker to establish a user’s identity, opening the door to blackmail-based scams.
“We were amazed by the size and how sensitive the data was. The risk of doxing that exists with this kind of thing is very real - extortion, psychological abuse,” said Locar.
“As a user of one of these apps, you don’t expect that others outside the app would be able to see and download the data.”
One of the affected apps, Herpes Dating, caters to sufferers of sexually transmitted infections, meaning the breach could, by extension, have compromised information about users’ health too.
While the developer has now rectified the error, it is impossible to say whether unauthorized parties accessed the treasure trove of sensitive data during the period in which it remained exposed.
Another of the affected services, Casualx, told TechRadar Pro it disputes the vpnMentor report and denies its users’ data has been exposed.
“We use Softlayer to store our users’ data and information. Softlayer is a product of IBM company. Casualx doesn’t share a common developer with other apps as vpnmentor.com mentioned. We don’t have the features as vpnmentor.com states: ‘voice messages and audio recordings’ (sic),” said the firm.
TechRadar Pro also requested comment from Cougary, Gay Daddy Bear, Herpes Dating and 3somes, none of which responded immediately.
- Here's our list of the best VPN services on the market