Jun 17, 2020 17:00:00

About 100,000 people's photos and conversation screenshots leaked from fetish dating apps etc.

Since it is necessary to handle personal information of users when using dating services, it is necessary to safely protect data, but in 2015

a large amount of personal information leaked from adultery SNS was posted on the net. It happened that it would be published in. And researchers are discovering that photos and conversations exchanged on multiple dating services for people with specific tastes are now publicly accessible on the Internet.

Report: Niche Dating Apps Expose 100,000s of Users in Massive Data Breach
https://www.vpnmentor.com/blog/report-dating-apps-leak/

VPN information site VpnMentor Noam Rotem and Mr. Ran Locar who is a member of a team of researchers, the 40-year-old and more women and known as Cougar prefer a young man, Queer , fetish, group sex, the specific preferences, such as herpes-infected persons We discovered that more than 100,000 user information was leaked from dating sites targeting people who own it.

As a result of the survey, the application was made by the same developer, and the photos uploaded by the user were saved in the same Amazon Web Services (AWS) account. This not only exposes the user information at risk, but also exposes the structure of multiple apps on AWS.

This AWS account stored data related to the following services.

・3somes
・CougarD
・DADDY BEAR
・Xpal
・BBW Dating
・Casualx
・SugarD
・HerpesDating
・GHunt

Looking at each website, the designs are very similar and you can infer that they were designed by the same person. Below is BBW Dating, a dating service for plus-sized people...

Herpes Dating, a dating service for people with herpes and sexually transmitted diseases, looks like this.

The application operator is located in China and the United States, the total leaked data size is 845 GB, the total number of files is 20,439,462, and there are over 100,000 users who have leaked data, mainly in the United States. It is being done.

The content of the data includes pictures, private chat screenshots, money transfer information, voice recordings, and limited personal identification information. Also, the data was not protected and was stored in an unencrypted

Amazon S3 bucket .

The leaked photos are as follows. In addition, although it is mosaiced for privacy, the actual photo was not processed.

A message saying 'Daddy, thank you for your payment'...

A picture of the user's face.

Chat message with contact information.

Self-portrait photo of the upper body.

A message saying 'I'm busy drinking water in the toilet'.

Screenshot showing the transfer.

It was May 24, 2020 when researchers noticed a data leak. After conducting a detailed investigation, the researchers contacted the dating service '3somes' on the next 26th, the information of 3somes was leaked from the S3 bucket, and the data of the sister company seems to be in the same situation. I told you. 3somes replied on the 27th and took measures during the same day.

If the information of a dating app is leaked, a user can be used by a malicious hacker and receive various forms of attacks. For example, hackers can use leaked images to create effective fake profiles for phishing scams. In addition, although the personal identification information leaked this time was limited, it is also possible to use this and to be threatened to 'disclose to the acquaintance that you are an application user'.

In response to this data leak, researchers emphasized to the application developers 'protect the server' 'implement appropriate access rules' 'do not expose systems that do not require authentication on the Internet' .. It also encourages users to 'contact a developer if they are worried about the process they are taking to protect their data.'