MacKeeper Security Research Center Discovers Dating Site Database for “Cheaters” With 1.5 Million User Accounts
On Sept 28th Mackeeper Security Research Center experts identified another unprotected MongoDB instance that was leaking data.
Database appeared to be part of C&Z Tech Limited, a New Zealand registered company that operates the websites haveafling.mobi, haveafling.co.nz, haveanaffair.co.nz, haveanaffair.mobi, hookupdating.mobi and the mobile application "Hook Up Dating". As the names clearly indicate they are all dating sites that target men and women "who are either attached/married seeking something fun on the side, or single seeking something casual".
The case of a “cheating” website brings back memories of the strange case of Ashley Madison. According to Forbes “Worldwide, the site has had 31 million total users over its lifetime, 6.8 million of whom logged in over the previous 90 days as of late November”. Unlike the Ashley Madison data that was actually hacked, this database was left open, unsecured and accessible to anyone. The fallout from the Ashley Madison hack destroyed marriages, families, and was even suspected in several suicides. Knowing the real danger of this data being leaked there is an added need for data protection and security.
The exposed database contained more than 1.5 million users’ data, including usernames and passwords in plain text among the others (height, weight, DOB, gender, gay body type, race, IP, country etc) was left unattended for almost a day before it was secured.
Shortly after we sent notification to the company support we received the following message from "Edward" from HAF team.
“Thanks for letting us know, the MongoDB database was only live for a few hours as we were testing migrating data from SQL to MongoDB, so most of them were just dummy data with randomly generated emails and passwords, and not our live database, we shut down the database about an hour ago, and there're no data breach, only you guys had detected it.
Once again thanks for letting us know and we will make sure to secure it before making it live again.”
This type of answer is rather usual to claim that this is testing environment with so many files and accounts. We highly doubt this was “testing” data based on the type of files exposed and the massive number of accounts. Yes, our security research team still has a copy of the data for verification purposes.
The database is now secured but it raises a different question. How long should sensitive data be exposed and unsecured before it is called a data leak?
In line with what some US courts have said, a breach occurs the very moment that data is put in a publicly accessible place. So if it was available to the public for even one second, then it's a breach.
Leaked data is leaked data and it puts users at risk. If our security research team was able to discover and obtain this information, anyone else could have also. If a “bad actor” or criminal was to get this information they could try and blackmail individual users with threats to expose their infidelity and other forms of extortion.
Attention - Portions of this article may be used for publication if properly referenced and credit is given to MacKeeper Security Research Center.
Do you have security tips or suggestions? Contact: firstname.lastname@example.org