Online dating app Heyyo has made the same mistake that thousands of companies have made before it — namely, it left a server exposed on the internet without a password.
This leaky server, an Elasticsearch instance, exposed the personal details, images, location data, phone numbers, and dating preferences for nearly 72,000 users, believed to be the app’s entire userbase.
The leaky server was brought to ZDNet‘s attention last week by security researchers from WizCase, who asked us to help investigate this security incident. After we verified the data’s authenticity by contacting some of the users whose phone numbers were included in the database, we’ve reached out to Heyyo to notify the company of the leak.
The Istanbul-based software company behind the app failed to respond to our inquiry for nearly a week, and the leaky server was only taken down today, after ZDNet reached out yesterday to Turkey’s Computer Emergency Response Team (CERT).
During the time it took us to secure the server, Heyyo’s backend leaked some of the most sensitive type of information online. The breadth of the leaked information is staggering, to say the least. Except for private messages, all other Heyyo user data was available on the company’s Elasticsearch server. This included the likes of:
- Phone numbers
- Email addresses
- Dates of birth
- Profile pictures and other images
- Facebook IDs for users who linked their profiles
- Instagram IDs for users who linked their profiles
- Longitude and latitude
- Who liked a user’s profile
- Liked profiles
- Disliked profiles
- Superliked profiles
- Blocked profiles
- Dating preferences
- Registration and last active date
- Smartphone details
- Source: https://www.zdnet.com/article/heyyo-dating-app-leaked-users-personal-data-photos-location-data-more/