Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Dating App. Show all posts

Data Privacy Issue Emerges on Popular Military Dating App

 


In the course of exploring the Internet, it was discovered that the general public may access an online database belonging to Forces Penpals, a platform that caters to armed forces personnel from the US and UK. A cybersecurity researcher, Jeremiah Fowler, discovered and reported a leak of an unsecured database to vpnMentor. This exposed over 1.1 million sensitive records, such as images of users and proof of service documents, raising privacy and security concerns among military members and supporters alike. 

An independent cybersecurity researcher has discovered a publicly exposed database on a popular dating app that may have been containing user data that wasn't encrypted or protected by passwords, making it a potential threat to service members today. According to Jeremiah Fowler of vpnMentor, nearly 1.2 million U.S. and UK military personnel using Forces Penpals, a social networking site and dating service, compromised their personal information. 

No, we are not talking about just the data of 1.2 million people you have access to. A date range is not provided for the duration of the database's exposure, nor is it known if any unauthorized individuals have accessed the information. The problem was brought to the attention of Fowler, who notified Forces Penpals, which has since restricted public access to the website. The platform, which was launched in 2002 as a letter-writing service for the British military, has since grown to be used by service members from the U.S. and UK. 

However, the platform contains sensitive information about individual service members, including their details and addresses. He found that the data he encountered during his research included images of users and copies of sensitive proof of service documents that contained names, addresses, Social Security numbers, and National Insurance Numbers of individuals from the UK. 

During the discovery of this publicly available database, it was found that it had neither password protection nor encryption. The database contained 1,187,296 documents in total. Based on a limited sampling of the document samples, it appears that the vast majority of the documents are images created by users, while some of the documents include potentially sensitive proofs of service. As part of these documents, there were full names (first names, middle names, and last names), postal addresses, Social Security Numbers (US), National Insurance Numbers, and Service Numbers (UK), as well as personal details such as addresses and telephone numbers. 

There is also a lot of sensitive data on these websites, such as ranks, branches of service, dates, locations, and other details that should have never been made accessible to the general public. Upon further investigation, it transpired that the records had in fact been associated with Forces Penpals, a dating service and social networking community for military service members and their family members. It was subsequently decided to restrict public access to the database two days after a responsible disclosure of the information. 

Consider the possibility that the United States or the United Kingdom enact a member verification system in the future. Typically, Fowler's report mentions that most of the documents were images of individuals, but a portion of those images were also of highly sensitive records related to military activities. From a technically speaking standpoint, there is no way of filtering through and searching text in images to determine the exact number," Fowler, added that this is not possible.

Following Fowler's discovery, Forces Penpals was promptly notified of the responsible disclosure notice, and subsequent restrictions on public access to the database were put in place on the same day. An acknowledgement of the issue was made by Forces Penpals, which explained that it was caused by a coding error, which misrouted documents to an insecure storage directory. There is no issue regarding the photos being public anyway, as they are already public, however, there is a problem when it comes to the documents being public. 

The extent of the database exposure, or whether unauthorized parties have had access to the information, is currently unclear, as well as the duration of the exposure. A forensic audit would be required to determine the extent of the breach and identify any suspicious activities that were taking place in the background. In the wake of the recent data breach, it is clear that inadequate cybersecurity measures can pose a serious risk to sensitive information, especially when these platforms are used to handle sensitive information.

There has been an exponential increase in cyberattacks targeted at military personnel and allied organizations over the past few years, illustrating that the threat landscape is rapidly changing. According to the FBI, in October 2024, a hacking group that was linked to Russian intelligence tried to infiltrate systems including those belonging to Western think tanks, journalists, and former military officials, which illustrated the real-world dangers of data exposure and potential exploits in the future. 

Even though no evidence has been found to suggest that Forces Penpals users were specifically targeted as a result of the breach, this incident is nonetheless an important lesson for organizations that handle personal and sensitive data to learn from. Security expert Fowler stresses the importance of establishing robust measures to keep information safe and secure as he discussed cybersecurity. 

It is highly recommended to implement enhanced access controls and multi-factor authentication, separate sensitive data by segmenting it, conduct regular security audits and penetration testing, and develop comprehensive incident response plans that will help address breaches as quickly as possible.

The Cybersecurity Crisis: Dating App “Coffee Meets Bagel (CMB)” Hacked again!

 

In an increasingly digital world, the threat of cyber-attacks is more prevalent than ever. This article delves into an alarming case of cybersecurity breach involving a popular dating platform, which led to over 620 million user accounts being compromised in 2019 and another ransomware case in 2023. We will also explore how monitoring the dark web can be instrumental in mitigating such threats. 
 
The Cybersecurity Crisis: Dating App “Coffee Meets Bagel (CMB)” Hacked again! 

  • The Unsettling Incident 
  • The Timeline of the Attack 
  • The Aftermath of the Attack 
  • The Perpetrator and the Motive 
  • The Investigation and Response 
  • The Role of Dark Web Monitoring 
  • The Impact of the Attack 
  • The Recovery Process 
  • The Way Forward and the implifications of the attack 
  • Closing Remarks 
  • Appendix: What is the CMB App? 
 
The Unsettling Incident 
 
In what is being termed as one of the most significant breaches of cybersecurity, a popular dating application was recently hacked, leading to over 620 million user accounts being compromised. The incident sparked widespread concern, shedding light on the ever-looming threat of cyber-attacks. 
 
The Timeline of the Attack 
 
The attack on the dating app Coffee Meets Bagel (CMB) was not an isolated event but rather a part of a series of cyber-attacks. The hacker reportedly started his malicious activities on August 27, 2023, and continued until the service was fully restored on September 3, 2023. During this period, the dating app was completely offline, rendering users unable to access their accounts. 
 
The Aftermath of the Attack 
 
Following the attack, the dating app made significant efforts to restore its services and secure the environment for its technology team. Despite the tremendous damage, the application was back online, and by all appearances, functioning normally by September 3, 2023. However, the question of user data safety remained a pressing concern. 
 
The Perpetrator and the Motive 
 
While the identity of the hacker remains unknown, the nature of the attack suggests that it was carried out by an outside actor with malicious intent. The perpetrator deleted the company’s data and files, resulting in the app’s week-long outage. The motive behind the attack is yet to be established and is under investigation by law enforcement agencies. 
 
The Investigation and Response 
 
In response to the attack, the dating app launched a thorough investigation to understand the full scope of the incident and enhance its cybersecurity. The company also notified law enforcement agencies about the attack, suggesting a collaborative approach in addressing the incident. 
 
The Role of Dark Web Monitoring 
 
Dark web monitoring can play a crucial role in preventing and mitigating such cyber-attacks. Services like Kaduu Dark Web Monitoring enable companies to take a proactive approach when customer data is compromised. They provide insights into potential threats on the dark web, allowing companies to address vulnerabilities before an attack occurs. 
 
The Impact of the Attack 
 
An app outage due to hacking can have significant implications. It can not only affect the trust between the company and its users but also lead to severe financial losses. Moreover, the compromised data can be used for identity theft or financial fraud, causing further harm to the users. 
 
The Recovery Process 
 
Recovering from a cyber-attack is a complex process that involves in-depth system analysis and data recovery. It requires the concerted efforts of the internal security team, external cybersecurity experts, and law enforcement agencies. The recovery process also includes communication with users about the incident and the steps taken to secure their data. 
 

The Way Forward and the implifications of the attack 

 
Following the cyber-attack, the dating app took several measures to restore user trust. They logged out all users as an extra precaution and offered compensations in the form of extended subscriptions and in-app currency. The company also assured its users that potential matches were not missed during the outage. But a breach of this magnitude (600 million accounts) has profound implications for both the company and its users. Here’s a detailed breakdown: 
 
Implications for the Company: 
 
Financial Impact: The company may face financial losses due to the need for immediate cybersecurity enhancements, legal fees, potential fines from regulatory bodies, and the cost of public relations efforts to restore their image. 
 
Reputation Damage: Trust is paramount in the online dating industry, where users share intimate and personal details. A breach can severely damage the reputation of the company, making it hard to attract new users or retain existing ones. 
 
Regulatory Scrutiny: Depending on the jurisdiction, the company might face investigations from data protection agencies, which can result in penalties. For instance, under the GDPR in Europe, companies can face fines up to 4% of their annual global turnover for severe data protection infringements. 
 
Legal Implications: Affected users might file class-action lawsuits against the company for failing to protect their data. Operational Disruptions: Post-breach, the company might need to temporarily shut down its services to investigate the breach, fix vulnerabilities, and ensure that user data is secure. 
 
Implications for the Users: 
 
Identity Theft and Fraud: Stolen data can be used for identity theft. Cybercriminals can use personal details to open fraudulent accounts, make purchases, or even commit crimes in the user’s name. 
 
Blackmail and Extortion: Given that it’s a dating app, the information can be sensitive. Hackers can threaten to expose users’ personal or intimate details unless they pay a ransom. 
 
Phishing Attacks: With the knowledge of users being part of Coffee Meets Bagel, attackers can craft convincing phishing emails to trick users into providing more personal information or downloading malicious software. 
 
Emotional Distress: Knowing that one’s personal and intimate details are in the hands of unknown entities can cause significant stress and anxiety. 
 
Password Reuse: If users have used the same password on CMB as on other sites, those accounts are also at risk. Hackers often try stolen passwords on multiple platforms. 
 

Closing Remarks 

 
The hacking incident involving the dating app is a stark reminder of the cybersecurity threats that digital platforms face today. It underscores the need for robust security measures and continuous dark web monitoring to prevent such attacks. As we move forward in the digital age, combating cyber threats must remain a top priority for all online platforms. 
 

Appendix: What is the CMB App? 

 
Coffee Meets Bagel is a dating app that aims to deliver a more curated dating experience compared to other popular apps. Here’s a brief overview: 
 
Curated Matches: Instead of giving users an endless array of potential matches, Coffee Meets Bagel sends a limited number of curated matches to users daily. This is based on the app’s algorithm which considers various factors including user preferences and mutual friends. 
 
Ladies’ Choice: One of the unique features of CMB is the “Ladies’ Choice” model. Men receive up to 21 “bagels” or potential matches each day at noon, and they can either “like” or “pass” on each one. Women, on the other hand, are then shown men who have liked them, and they decide whom to connect with. This model is designed to give women more control over their dating experience. 
 
Beans and In-App Purchases: While CMB is free to use, it also has a virtual currency called “beans”. Users can earn or purchase beans to unlock additional features, such as discovering more matches or finding out which users have liked them. 
 
Connection Time Limit: Once two users mutually “like” each other and a match is made, a chat room opens up. However, there is a time limit (typically 7 days) for the conversation to begin and continue, after which the chat room expires. This is designed to encourage users to take action and not let matches stagnate. 
 
Feedback After Date: The app also has a feature where users can provide feedback after going on a date with a match. This helps the app improve its matching algorithm. 
 
CMB is one among many dating apps available, but its emphasis on quality over quantity and giving women more control over the matching process sets it apart from some of its competitors.


The article was originally published on 'Kaduu': Link to the original article

Korean Dating App Leaks Private Images and Information of 1 Million Users

 

Korea is a country where incidents of data breach have significantly risen in number, becoming the new normal. Due to this, Data Protection has become a subject of concern in Korea. Massive-scale data leakage incidents have caused the residents great trouble as their resident registration numbers are easily accessible on the internet. For instance, while using various online platforms for shopping a person provides the required information that is not regarded safe as small business owners pay little attention to the protection of the database while on the other hand big business owners at times lack efficient data control system. 

This data breach mostly leaks the private information of the users such as explicit content or certain images that should not be out in the public domain. The data that gets easily accessed due to the misconfigured and unsecure services, includes user information such as personally identifiable information and other sensitive data like private messages or images. 

Lately, one such incident took place in Korea again where a dating app has leaked highly sensitive NSFW picture and information of the app users that are nearly 1 million in the count. This one was free of cost dating app that goes by the name “ Sweet Chat” belonging to Sweet Talk. 

The aforementioned incident is a bit of a déjà vu, as the nearly same incident was reported in November last year. Though that incident had images, videos, and audios that were extremely explicit and private for the user and that particular database contained 130,000 files in total. Articulating about the incident that transpired this year the database only had NSFW images and only half of the total images were explicit. The count of the images and messages leaked this time was 1 million. 

The era of technology accords with a wide range of approaches that can harm a user caught in such cases. The user ID’s are easily connected to the leaked images by a Reverse Image search process, which is very handy for cybercriminals who later on blackmail the users. Wrongdoers even get imprisonment for up to 40 years for such blackmailing cases in Korea.

These cases are very sensitive, as they breach the wall of privacy for the user. It’s the responsibility of the owners and the app developers to make sure that all such private information and the confidential database remains safe and private. The consequences of such cases are highly amplified for the victims as now anybody could access their personal information. 

The users need to use these dating apps with proper care and change their passwords every now and then. Users are also advised to keep an eye on the personal information stored in the app. One must always be cautious about permissions that the apps ask for its proper working on the device. And cases carrying such sensitivity must be reported to the concerned authorities as soon as possible.

Dating App Accused of Leaking Users’ Private Information from Their Profiles


Security Researcher discovered a leak within the dating app Plenty of Fish of the data that users had specially set as "private" on their profiles. The leaked information was not straight away obvious to the app users, and the information was scrambled to make it hard to peruse.

In any case, utilizing freely accessible tools intended to dissect network traffic, the researcher discovered that it was possible to uncover the data about the users as their profiles showed up on his phone.

As indicated by The App Analyst, a 'mobile expert' who expounds on his examinations of mainstream applications on his eponymous blog, POF was in every case quietly restoring the users' first names and postal ZIP codes which was the primary indication that something was truly amiss with the application.

In one case, the App Analyst even discovered enough data to identify where a specific user lived.

As of late, law enforcement also has on multiple occasions issued admonitions about the dangers a few people face on dating applications, similar to Plenty of Fish, which has approx. more than 150 million registered users, as indicated by its parent company IAC. Reports propose sex attacks involving these dating applications have ascended dramatically in the previous five years.

Furthermore, those in the LGBTQ+ community on these applications additionally face safety dangers from both people as well as the government, prompting applications like Tinder to proactively caution their LGBTQ+ users when they visit locales and states with prohibitive and harsh laws against same-sex accomplices.

Prior this year, the App Analyst found various outsider third-party tools that were permitting application developers to record the device’s screen while users engaged in with their applications resulting in a crackdown by Apple.

Even though spokespersons for 'Plenty of Fish' refused to comment regarding the matter immediately, a fix is said to have turned out recently for the data leakage bug.

FBI issues warning against dating sites




An intelligence and security service of the United States has issued a warning for its people to be wary of "confidence/romance scams," after the Bureau saw a 70% annual rise in fraud cases.

The Federal Bureau of Investigation found an exponential increase in the cases where dating sites are used to trick people into money scams, sometimes victims were asked to send money or buy expensive gift items for people met online. 

In 2018 alone more than 18,000 complaints were registered and the total monetary loss was more than $362 million.

The warning issued by the FBI warns actors, "often use online dating sites to pose as U.S. citizens located in a foreign country, U.S. military members deployed overseas, or U.S. business owners seeking assistance with lucrative investments."

Crimes like these target people from all age group, but elderly women—especially those widowed—are especially vulnerable.

The U.S. Department of Defense also issued a warning about "online predators on dating sites claiming to be deployed, active-duty soldiers."

According to the U.S. military, there are now "hundreds of claims each month from people who said they've been scammed on legitimate dating apps and social media sites—scammers have asked for money for fake service-related needs such as transportation, communications fees, processing, and medical fees—even marriage."

Gay dating app Jack’d fined $240k for exposing private photos





A gay dating app Jack'd will have to pay $240,000 to its users after they exposed private intimate photos on the internet for at least a year.

The parent company, Online Buddies, fixed the problem after one year they were informed by a cyber-security researcher Oliver Hough. 

The researcher informed the company about the flaw in February 2018, but the firm paid heed to the problem only in February 2019.


The popular dating app had uploaded the private photos to an Amazon Web Services storage bucket, which could be easily accessed by anyone. 


New York Attorney General Letitia James said the app breached the trust as well as invaded into users' privacy.

Ms. James said: "The app put users' sensitive information and private photos at risk of exposure and the company didn't do anything about it for a full year just so that they could continue to make a profit."


The firm has promised to implement a "comprehensive security program" so incidence like this are avoided and protection of its users' privacy is ensured.