Unprotected Dating Service Database Leaks Personal Data
Another exposed database on an online server was leaking the personal data of its users. The database in question belonged to a dating website was running on an Elastisearch server and was not password-protected. The discovery that the database was exposed was made in late August 2020 by security researchers with vpnMentor.
After the security researchers contacted the database owners, it was quickly taken down, but that doesn't mean the database did not leak for certain. There were a total of over 880 gigabytes of push notification log files stored in the faulty database. The log files were found to contain the details of 66 million notifications generated over the last four days, along with the personal information of hundreds of thousands of users.
The dating service aggregator operating the database stored notifications coming from over 70 different dating sites. It appeared that a lot of the notifications were spam, with messages offering men to find partners from parts of the world such as Asia or Eastern Europe. The way the system was set up, the new notifications alarmed users that a supposed female had sent a message to lure people back to the service.
Personally Identifiable User Info Exposed
While all of this was done with the users' consent, the issue is that there was a lot of personal information involved. The database was not simply storing the notifications themselves, but also contained a chunk flagged as 'debug' data that contained personal details of the users. The personally identifiable information in the logs included names, emails, gender as well as geolocation and IP address data.
To make matters worse, the strings in the notifications also contained links and authentication keys to user profiles, which could give bad actors unlimited access to profiles, without even needing the user password. Anyone who potentially got hold of the unprotected database could have accessed tons of user information, including profiles and past messages sent across the service.
Personal information leaks, especially connected to dating websites and services, can lead to heaps of trouble for the people involved, including extortion and blackmail attempts.