Global users of 70+ dating and e-commerce sites have had their personal data exposed after a popular marketing software provider misconfigured an online database.
Discovered by an ethical hacker and reported to vpnMentor, the issue is an unsecured and unencrypted Elasticsearch database, managed by Cyprus-headquartered Mailfire.
“The data was being stored on an Elasticsearch database, which is ordinarily not designed for URL use,” the researchers explained. “However, we were able to access it via browser and manipulate the URL search criteria into exposing schemata from a single index at any time.”
The database itself sat behind a notification tool used by Mailfire clients to market to their users and notify them about private chat messages.
Most of the 70+ sites affected were dating sites from around the world, including South America and Asia.
When first discovered, the database was storing over 882GB of data from the previous four days. This contained over 370 million records for 66 million individual notifications sent during that time. These were mainly sent to alert users of new messages from potential dating matches, said vpnMentor.
As such, personally identifiable information (PII) including full names, ages and dates of birth, gender, email addresses, locations, IP addresses and profile pics were exposed, as well as potentially embarrassing conversations between dating site users.
“It’s also possible older data had been stored before this time,” said vpnMentor. “However, it appears that the exposed server was the victim of a recent and ongoing ‘Meow’ cyber-attack campaign that has been targeting unsecured Elasticsearch servers and wiping their data.”
The leak could have exposed hundreds of thousands of users from over 100 countries to the risk of fraud, identity theft and phishing/malware, account takeover, and potentially even blackmail.
Interestingly, many of the sites affected by the leak appeared to be scams themselves, flooded with chatbots and fake profiles to encourage sign-ups.
“We found throughout several websites that disingenuous accounts were a huge issue. Many profile photos used were registered on scam databases or reused across accounts. Some were simply photos of celebrities found online,” explained vpnMentor.
“Many of the sites had complicated, difficult to understand payment structures and some refused to offer refunds. Some required a credit card as ‘proof of age,’ yet the fine print declared the card would be charged $29.90 monthly.”
When notified, Mailfire took full responsibility for the incident and immediately remediated the leak.