An online database left exposed online without a password has leaked the personal details of hundreds of thousands of users who signed up for online dating sites.
The leaky database, an Elasticsearch server, was discovered at the end of August by security researchers from vpnMentor.
The database was taken offline on September 3 after vpnMentor tracked down its owner in Mailfire, a company that provides online marketing tools.
vpnMentor researchers said the database stored copies of push notifications that various online sites were sending to their users via Mailfire’s push notification service.
Push notifications are real-time messages that companies can send to smartphone or browser users who agreed to receive such messages.
The leaky database stored more than 882 GB of log files pertaining to push notifications sent via Mailfire’s service, with the logs being updated in real-time, as new notifications were being sent out.
In total, vpnMentor said the log files contained details for 66 million individual notifications sent over the previous 96 hours, with personal details for hundreds of thousands of users.
vpnMentor, who analyzed the leaked data while searching for the database owner, said it found notifications belonging to more than 70 websites.
Some of the sites where e-commerce stores and classified ads networks from Africa; however, the vast majority of notifications originated from domains linked to dating sites.
These dating sites promised men the opportunity to find a young female partner in various areas of the globe, such as Eastern Europe or Eastern Asia.
Most of these sites used visually-looking designs, and while using different domains, appeared to be part of a larger network.
Without any doubt, the notifications sent by this network of dating sites was just spam, trying to lure users to return to the site, claiming that a new user had sent them a message.
But while spamming users with push notifications is not actually an issue, especially if the users agreed to receive these messages, the problem was that personal data was also involved.
According to copies of the exposed logs seen by ZDNet, the leaky Elasticsearch server didn’t only contain copies of the notifications but they also included a “debug” area where personal information for the user receiving the notification was also included.
Some of the data we found in these debug fields included names, age, gender information, email addresses, general geographical locations, and IP addresses.
Furthermore, the notifications also contained links back to the user’s profile, in case the user clicked or tapped on the notification. These links also contained authentication keys, meaning anyone with this URL would have been able to access a user’s profile on the dating site without needing a password.
Anyone who would have found this database over the course of the past few weeks would have been able to learn the identities of users who signed up on these dating sites and access their profiles to read private messages or see past connections.
As vpnMentor researchers have pointed out, this leaky server was a disaster waiting to happen. If this data leaks online, the users of these sites would most likely face extortion attempts, similar to how Ashley Madison users faced blackmail attempts for years. These extortion attempts had a severe toll on Ashley Madison users, with some taking their own lives after their personal love life was exposed to the public.
Mailfire did not return a request for comment. Some of the dating sites that we found in the leaky server included Kismia, Julia Dates, Emily Dates, Asian Melodies, Ukrainian Charm, Asia Charm, JollyRomance, OneAmour, ValenTime, Rondevo, Victoria Brides, Loveeto, Oisecret, WetHunt, Cum2Date, Jolly.me, and many more.