Online dating app Heyyo’s server was not password protected and and issue with the server led to the app’s entire userbase being exposed online. The data exposed included the following, according to ZDNet:
Names, Phone numbers, Email addresses, Dates of birth, Gender, Height, Profile pictures and other images, Facebook IDs for users who linked their profiles, Instagram IDs for users who linked their profiles, Longitude and latitude, Who liked a user’s profile, Liked profiles, Disliked profiles, Superliked profiles, Blocked profiles, Dating preferences, Registration and last active date, and Smartphone details.
The unsecured server was discovered by security researchers at WizCase. What is of greatest concern is that the exposed information included user location, meaning that bad actors could leverage this info to stalk impacted users.
Commenting on the data breach to Digital Journal, Eve Maler, vice president of innovation & emerging technology, ForgeRock, says that the type of serve is noteworthy: “Heyyo joins Glynk as another dating app to suffer from a significant data leak due to an exposed Elasticsearch database.”
She also notes the significance of the information: “The leaked user data is more than enough information for hackers to launch spear-phishing or extortion campaigns—where bad actors leverage users’ dating life and habits as blackmail—similar to the Ashley Madison extortion scheme. This instance shows how in addition to cyber threats, there are real-world, physical dangers that can result from security issues.”
In terms of lessons for businesses, Maler says security is key: “Many Elasticsearch database breaches and leaks stem from organizations leaving their servers unprotected with no password. However, with cybercriminals constantly crafting and innovating sophisticated attacks, an organization’s security efforts should not stop there.”
In terms of enhanced security, she recommends: “Online dating services and all other organizations need to take the extra step to safeguard their databases by investing in comprehensive identity and access management tools. By deploying a modern identity and access management (IAM) solution that provides intelligent, contextual and continuous security and has the capability of demanding further identity validation after detecting abnormal behavior, like multifactor authentication (MFA), companies can ensure the safety of their data and maintain the trust of their users.”