IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Niche dating apps expose almost 1TB of user data

Sensitive material, including images and voice recordings, has been exposed due to a misconfigured AWS S3 bucket

More than 20 million files owned by several dating apps were recently exposed, leaking sensitive information ranging from explicit media to the entire infrastructures of the apps.

Approximately 845GB of user and app data was leaked through a single misconfigured AWS account hosting data from a wide selection of niche dating apps, including Cougary, Xpal and CasualX, among others. 

The “incredibly sensitive” files included media such as images and audio recordings, as well as private message exchanges, and evidence of financial transactions. The breach also exposed the various apps’ entire AWS infrastructure through unsecured admin credentials and passwords.

This leak affected at least 100,000 users, although it could potentially affect millions, according to researchers with vpnMentor, who stumbled on the database as part of a huge web-mapping project.

The S3 buckets contained limited personally identifiable information (PII), although many of the files directly or indirectly exposed individuals as they included photos with visible faces, user names and financial data.

“Our team was able to access this bucket because it was completely unsecured and unencrypted,” vpnMentor said in a post.

“As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. We reached out to the developers, not only to let them know about the vulnerability but also to suggest ways in which they could make their system secure.”

The research team added it’s important to note that publicly accessible S3 buckets are not a flaw of AWS, and usually arise as a result of an error by the owner of the bucket.

In cases such as that of these dating apps, the easiest remedy would be to make the bucket private and add authentication protocols, follow AWS access and authentication best practices, and add further layers of protection to S3 buckets to restrict who can access it from every point of entry.

The research team reached out to the owner of one of the apps, 3somes, on 24 May to present its findings. The developer responded asking for additional details, after which point vpnMentor offered the URL of the misconfigured bucket and mentioned the other buckets owned by apparent sister companies were open too.

Although there was no further communication, on 27 May the S3 buckets belonging to every other app were re-secured, confirming vpnMentor’s assumption that all the services shared a common developer.

“Using the images from various apps, hackers could create effective fake profiles for catfishing schemes, to defraud and abuse unwary users,” the vpnMentor post continued.

“Given the nature of many of these apps – in some cases involving financial transactions, fetishes, and STIs – having your presence on the app made public could create immense stress in your personal life.”

The research team has previously discovered a string of leaked databases in the past few months and years. For example, vpnMentor found that millions of text messages leaked through an exposed TrueDialog server in December 2019. 

More recently, a huge leak exposed a wealth of personal and financial data held by British consultancy firms in January, as well as thousands of professionals, ranging from expenses forms to personal names and addresses.

Featured Resources

Accelerating healthcare transformation through patient-centred medtech solutions

Seize the digital transformation opportunities to streamline patient care and optimise patient outcomes

Free Download

Big payoffs from big bets in AI-powered automation

Automation disruptors realise 1.5 x higher revenue growth

Free Download

Hyperscaler cloud service providers top ten

Why it's important for companies to consider hyperscaler cloud service providers, and why they matter

Free Download

Strategic app modernisation drives digital transformation

Address business needs both now and in the future

Free Download

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
Unpatched Exchange servers could be behind Rackspace's ransomware attack
zero-day exploit

Unpatched Exchange servers could be behind Rackspace's ransomware attack

7 Dec 2022
What we can learn from the supercomputer revolution
Sponsored

What we can learn from the supercomputer revolution

1 Dec 2022