An unsecured Elastic database associated with dating apps has been discovered by a security researcher, making easily identifiable data exposed. Jeremiah Fowler, who has been working in the security software industry for over 10 years, found the database that held information about US data app customers, including their sexual preferences, lifestyle choices, and whether they were unfaithful to their partners. Fowler wrote on Security Discovery, "it is easy for anyone to identify a large number of users with relative accuracy based on their 'User ID.'"
According to Fowler, the IP address for the database was located on a US server and with the majority of users appearing to be Americans. He found that even though the data was hosted by "multiple dating applications," upon further investigation he found them to be developed by separate companies or individuals.
He was able to identify the users' real identities online, as the dating applications logged and stored the user’s IP address, age, location, and user names. "Like most people, your online persona or user name is usually well crafted over time and serves as a unique cyber fingerprint," wrote Fowler.
He attempted to contact the email addresses associated with the applications and identify the address and phone number using the Whois domain registration. "The address that was listed there was Line 1, Lanzhou and when trying to validate the address I discovered that Line 1 is a Metro station and is a subway line in Lanzhou," he explained on his blog. "The phone number is basically all 9’s and when I called there was a message that the phone was powered off.
"I am not saying or implying that these applications or the developers behind them have any nefarious intent or functions, but any developer that goes to such lengths to hide their identity or contact details raises my suspicions. Call me old fashioned, but I remain skeptical of apps that are registered from a metro station in China or anywhere else."
Terry Ray, senior vice president and Imperva Fellow, told Infosecurity that he agrees with Fowler's sentiments: "There are several strange things about this leaky database, especially the fact that the applications appear to target English speakers yet have, at least in one app, a business location in China, as having all owner or admin contact falsified or unavailable. It makes you wonder who is storing this data from these particular dating apps and what the underlying purpose is.
"Furthermore, why are multiple dating apps storing their data in the same place, yet little or no connection between the apps, their product names or their business contacts?"
At the time of writing his blog, Fowler disclosed that the database was still "publicly accessible" and despite a large number of users, there was no personally identifiable information. He had not received responses to his emails. "What concerns me most is that the virtually anonymous app developers could have full access to user’s phones, data, and other potentially sensitive information," he wrote. "It is up to users to educate themselves about sharing their data and understand who they are giving that data to. This is another wake-up call for anyone who shares their private information in exchange for some kind of service."
According to Verizon, 22% of data breaches in 2017 involved the use of stolen credentials, with 36% of compromised data being personal information such as name, birthday and gender.
"Although the article notes that this database wasn’t storing personally identifiable information, the writer was, in fact, able to ‘identify’ some of the ‘persons’ with the credentials found, this highlights the importance that if you are storing user data, you are responsible for ensuring that data is protected," Ray told Infosecurity. "Further, if you’re an app user and want to remain anonymous, make sure you use different usernames and passwords as much as possible."