Data Breach: Millions of Dating App Records, Messages, and Profiles Exposed in Data Leak

WizCase’s security team has recently uncovered breaches in 5 different dating site and app databases. These leaks have compromised data, including sensitive and confidential information like real names, billing addresses, email addresses, phone numbers, private messages, and more. The total number of leaked entries is in the millions. Every server was easily accessible via the internet and not protected.

This information was uncovered as part of investigations to help companies keep their data secure. As such, the companies involved and their hosting providers have been ed so that they could secure their databases and keep data private. Prior to this discovery, WizCase also uncovered another dating app leak which was promptly closed after the appropriate authority was notified.

Breaches Found: July 2020

What Data Got Leaked?

Our team found servers for 5 dating sites and apps around the world.

1. CatholicSingles.com — A dating site for Catholic people in the US

CatholicSingles.com is a dating site for s who are looking to find faith-based partnerships. The site operates exclusively in the US.

The leaked data included very sensitive information, like real names, email addresses, billing addresses, phone numbers, age, gender, occupation, and education. Also found was data detailing hair and eye color, payment methods, and activity levels (like days since last ). Many profiles are banned or canceled, but the most recent discovered was 2019. These s could still be active.

2. SPYKX.com — (Congdaq/Kongdak app) Online dating for s in South Korea

SPYKX.com is the creator of the Congdaq/Kongdak dating app for individuals in South Korea. It appears that the online dating app is just one service the site has created.

Data on the server included data like email, cleartext s, phone numbers, date of birth, gender, and education. GPS data was also discovered which could potentially be linked to individual s via their internal IDs.

3. YESTIKI.com — Dating app hosted in the USA

YESTIKI.com is a dating app for s in the US, which appears on the app store as TIKI Interactive. It enables s to meet potential partners through exploring shared interests and activities.

Leaked data from the MongoDB server included phone numbers, names, address and GPS location data of date venues, ratings, activity logs, Foursquare secret key IDs, and more.

4. Blurry — Dating app from hyperitycorp.com

Blurry is a dating app from Korea with s around the world. It has over 50,000 installs on the iTunes app store, so while it’s quite small still, a considerable amount of sensitive data was breached.

All data recovered from the server involved private messages sent between s on the app. While there are no significant PII’s (Personally Identifying Information), personal information could potentially be correlated with internal IDs. Some messages were discovered containing personal information like Instagram handles and phone numbers.

5. Charin and Kyuun — 2 dating apps for s in Japan

Charin and Kyuun are two different dating apps from what we suspect is the same company. Both websites are very similar in design and are sitting on the same EC2 Amazon server. Leaked data from both apps was found on the same breached server.

The most notable data found on the server includes email addresses and s, both hashed and cleartext. Other data found was IDs, mobile device information, and search preferences such as distance and age.

Unverified Server Leaks: 6 Additional Servers Without Owners Found With Dating App Information

During investigations, the WizCase security team found an additional 6 unsecured servers with information from different dating apps and sites, separate from the breaches above. The owner/s of the servers have not yet been identified, making it difficult to know where the data originated from.

This information could’ve been collected through a process known as web scraping, but this could only explain some of the data, as parts of it do not appear to be from internet-facing web pages.

Which Dating Apps or Sites is the Data From?

Data was found relating to several different dating apps and sites: Zhenai, Say Love, Netease, Love Chat, and Companion. While a lot of the information isn’t exposing personal data, there’s a potential for it to be correlated with other information in the future, making it personally identifiable.

What is “Web Scraping”?

Web scraping is an automatic process that allows information on websites to be collected and stored. Web scraping isn’t just for websites though — it can also be used for other protocols and technologies. For the most part, this is a legal process, although it does have some gray areas and can be illegal if used in the context of other illegal activities.

It appears that a lot of the information discovered on these servers could be the result of web scraping. Much of the data is information that can be viewed online without needing access, or “web-facing data.”

What are the Risks for s?

s of dating apps and sites may assume that their information isn’t easily accessible or made public, when in fact it is. Zhenai, for example, allows a lot of information to be seen without a logging in. Individual s may not want their dating profiles to be public but have no control over how the site protects its information.

Web scraping is also related to a part of the hacking process (gathering information) and getting all the data from a server may pose security risks to s and to the site or app itself.

What are the Consequences of a Data Leak?

Identity Theft

This is a huge risk with databases that hold complete PII (Personally Identifiable Information) records. If a scammer can get a dating app ’s full name, address, and date of birth, it’s easy for them to steal an identity and use it for fraudulent purposes. If an attacker has your , they could try it on other platforms (s often reuse the same across multiple platforms) and gain access to your PII that way. With this information, someone has the ability to create another on a dating app and harass other s under your name.

Phishing, Phone Scams, and Catfishing

Once a scammer has your details, they can use other information discovered in the data leak to convince dating site s to give up more information on the phone or by clicking on a suspicious email link. These scams work because s believe their information is secure and scammers can use the exposed personal information to establish false trust. With your personal details, a scammer could also set up a catfishing using your information and images — potentially harassing family, friends, and other dating app s.

Blackmail

s who want to keep their dating preferences a secret could experience blackmail as a result of data leaks. Scammers are aware that they could reveal private information and damage a ’s reputation, potentially costing them their relationships or financial security. Some individuals may be using dating apps while in a relationship or married — a scammer could use information from leaked conversations to threaten to expose s to their families.

Privacy and Stalking

With GPS data showing locations as well as potential date locations, s are put at risk of stalking and other privacy issues.

Business Espionage

By collecting data on other companies, competing businesses have the potential to use data regarding s, registration levels, and targeting methods to their benefit or to sabotage others in the same field.

What Does This Mean for Data Leak Victims?

Depending on the kind of data leaked from each breach, the victims could be at risk in different ways. Here are examples of one risk per leak, although there can be more.

1. Catholic Singles — Leaked email addresses and phone numbers put s at risk of phishing emails and phone scams.
2. SPYKX — Exposed cleartext s and email addresses could let hackers access personal data kept on the , leading to identity theft and fraud.
3. YESTIKI — GPS data, venue addresses, and match dates and times make s vulnerable to stalkers.
4. Blurry — Exposed messages may contain identifiable private data that could be used to blackmail s.
5. Charin and Kyuun — Leaked data includes search preferences and message content that can be used to blackmail victims who want to keep information private.

How Can You Keep Your Data Secure?

It’s always important to be vigilant about your personal data when you’re g up to dating apps or other sites that ask for sensitive information. If you have an active dating profile on one of the above sites, we recommend that you re-evaluate the personal information you have available there.

We also recommend changing your for any breached site and any other platform you use the same on. It’s best not to reuse s at all, as this can make online s vulnerable in the event of a data breach. In general, try to use complex s that you find easy to (like four random words) or use completely random s and save them in a vault. The best is a you can’t .

Take precautions when messaging via the apps and avoid divulging identifiable data such as your full name, social media profiles, phone numbers, or pictures. Once you’ve sent the information, it has the potential to be used for blackmail or other fraudulent purposes.

Be sure to check other sites and services you use online for suspicious activity, too. If a scammer has your personal information, they could use it to access other online s. Should you find anything unusual, don’t hesitate to report it.

Who is WizCase?

WizCase is at the forefront of cybersecurity. The cybersecurity team is made up of experts and led by Avishai Efrat, dedicated to ensuring that any leaks found are promptly secured. The security team s every company to inform them of data breaches, giving them the opportunity to secure their s’ data.

The team has found popular webcam security.