Security researchers have discovered five dating apps in the US and East Asia which are leaking millions of customer records thanks to misconfigured cloud databases.
A team from WizCase led by Avishai Efrat explained that the Elasticsearch servers, MongoDB databases and AWS buckets they found were left publicly accessible with no password.
In the US, an Amazon bucket traced to CatholicSingles was found to be leaking a 17MB database of 50,000 records including names, email addresses, billing addresses, phone numbers, age, gender, occupation and education.
Another dating site hosted in the US, Yestiki, leaked around 4300 records (352MB) including phone numbers, names, addresses and GPS location data of date venues, as well as user ratings, activity logs and Foursquare secret key IDs.
Next up is SPYKX.com, the South Korean company behind the Congdaq/Kongdak dating app. It was found leaking 123,000 records (600MB) via an unprotected Elasticsearch server, including emails, cleartext passwords, phone numbers, dates of birth, gender, education and GPSdata.
Also in South Korea, dating app Blurry exposed 70,000 user records (3667MB) via an Elasticsearch server, including private messages sent between users – some of which contained sensitive information like social media handles and phone numbers.
Finally, Japanese dating apps Charin and Kyuun, which appear to be owned by the same company, leaked over 100 million records via the same unsecured Elasticsearch database sitting on an AWS EC2 server.
Compromised user information included email addresses and passwords, both hashed and cleartext, user IDs, mobile device information and dating preferences such as distance and age, according to WizCase.
The researchers also found an additional six exposed servers packed with dating app user information but couldn’t identify the owner, although it claimed they may be the product of a web scraping operation. Data from users of Zhenai, Say Love, Netease, Love Chat and Companion were found.
It’s unclear whether any of the companies WizCase contacted has addressed the configuration errors, but the firm warned users of potential follow-on identity fraud, phishing, blackmail and privacy risks.
Back in September last year, the same research team was able to access a database of around 77,000 users of Heyyo, a Turkey-based online dating service.