The profiles and data of hundreds of thousands of users of niche dating and friendship apps were leaked online from an unsecured database.
The database stored over 20 million files totaling 845 GB and included "incredibly sensitive" images, user profile details, and private conversations and voice recordings.
The database was discovered by VPNMentor and included dating apps such as 3somes, CougarD, Gay Daddy Bear, Xpal, BBW Dating, Casualx, SugarD, Herpes Dating, and GHunt.
VPNMentor researchers say: the apps were designed for people with alternative lifestyles and specific preferences, such as "cougars," queer dating, fetishes, and group sex. At least one app was exclusively for people with STIs such as herpes"
.
They believe the apps had a common developer because they were stored in the same AWS account and the websites were all similar; the S3 buckets were named for each app; the apps were also named for people with STIs.
The entire database was properly protected on May 27, the day after VPNMentor informed the 3some app administrators of the problem.
VPNMentor warned users of such sites and apps that the exposed data might make it easier for cybercriminals to attack, bully, and blackmail them with sensitive information.
"While the connections people are making on 'sugar daddies,' group sex, hookups, and fetish dating apps are completely legal and consensual, criminals and malicious hackers could exploit them to have devastating effects on users," The report states.
"By using images from various apps, hackers can create effective fake profiles for cat-phishing scams to trick and exploit unwary users.
VPNMentor criticized the developers and stated that the leak could have been avoided by taking a few basic security measures. These measures include securing servers, implementing appropriate access rules, and not leaving systems open to the Internet that do not require authentication.
The researchers advise users: "If you are using one of the apps referred and are concerned about how this breach may affect you, please contact the developer directly to see what steps they are taking to protect your data."
Comments