Mobifriends is a social platform, available via Google Play, that allows its users to interact and share ideas and interests with new acquaintances via video and text chat. Critically, the stolen data includes users’:
Email addresses
Usernames
MD5 hashed passwords
Phone numbers
Dates of birth
Gender information
Website activity logs.
According to Threat Post these details were put up for sale on an underground forum.
Additionally, a number of exposed emails belong to users from companies like Virgin Media, Experian, Walmart, American International Group (AIG), and other Fortune 1000 companies. MobiFriends has not commented on the security incident nor provided details about how the breach transpired.
Looking into the issue for Digital Journal, Bitglass CTO Anurag Kahol, indicates why the data loss happened and why these types of apps are so appealing to hackers: “Dating apps and sites store massive troves of personally identifiable information (PII) on users, including email addresses, birth dates, genders, and more.”
This not only makes attacking these types of apps attractive, it also means there are many ways in: “Any security complication could result in a devastating breach or leak that would leave victims vulnerable to highly tailored phishing attacks and identity theft for years to come.”
With the specific incident, Kahol says: “In this MobiFriends incident, users’ passwords were also exposed–this is particularly concerning as people commonly reuse passwords across multiple platforms. In fact, a staggering 65 percent of people use the same password for multiple or all of their accounts.”
In terms of what users of the dating app should do in response to the news, Kahol advises: “As just one step in trying to control the damage, impacted users should change their passwords on all of the accounts where they used these now exposed credentials. In general, consumers must make it a habit to diversify their login credentials across different accounts if they are to mitigate the chances of their accounts being hijacked.”
In terms of how the attack took place, this remains unknown (although the security method used – MD5 – is now generally regarded by the cybersecurity industry as no longer being cryptographically secure). However, Kahol explains there are general protective measures that businesses operating such apps should have in place: “Organizations must have complete visibility and control over their data to identify and remediate any vulnerabilities that could be exploited.”
Kahol advises further: “Additionally, real-time protections are now more critical than ever due to privacy regulations such as GDPR and CCPA. To prevent similar incidents and safeguard customer data, organizations must leverage multi-faceted solutions that enforce real-time access control, detect misconfigurations, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent data leakage. They must also verify their users with tools like multi-factor authentication to validate their identities before granting them access to their systems.”