This time, the data – all 882GB of it, including tons of personal information – was found on an unsecured Elasticsearch Database (yes, it’s another leaky bucket story) by an ethical hacker who passed it to security researchers at vpnMentor.
The database in question didn’t actually belong to a dating app per se, but rather a third-party Cyprus-based marketing company by the name of Mailfire, which around 70 affected apps use for their communication systems – push notifications, for example.
Mailfire was informed of the issue on August 31, and immediately fixed the problem, closing it to public access, as it should have been all along.
Unlike with previous recent leaks, the Mailfire database appears to have been in constant use, with new records appearing daily, right up until the day of disclosure including full names, date of birth, location, IP address, contact details and photos. In short, the whole nine yards. In total, 320bn records were in plain sight in the database.
Worse still, private communications between users were also captured, and a lot of the ones we saw were… very NSFW.
The sites involved appear to come from a few companies, offering a variety of niche dating services. The important thing is that these are said not to be from any particular country, but rather worldwide.
The ‘good’ news, such as it is, appears to be that many of the stolen records were fake anyway – a combination of catfishing, chatbots and fake celebrity profiles. vpnMentor speculates that some of the sites were specifically set up for catfishing and scamming.
As far as we can tell, there’s no evidence that the Mailfire server data has been exploited, and given the rather flaky nature of much of what they found, the risk is minimal, but it is there, so if you’re in any doubt, change your passwords on dating sites you use.
Unfortunately, there isn’t currently a list of all the sites affected, beyond the fact that they appear to be listed in data havens such as Nevada and British Virgin Islands. If we’re able to get a list, we’ll add it below.
Mailfire has already stated that it accepts all responsibility for the leak, and that the dating app clients are not to blame. Though based on what vpnMentor discovered, it sounds like users of these sites may have had a lucky escape.