Leaking server exposes users to dating network
An online database left exposed online without a password has leaked the personal details of hundreds of thousands of users who have registered with online dating sites.
The leaked database, an Elasticsearch server, was discovered in late August by security researchers at vpnMentor.
The database was taken offline on September 3 after vpnMentor has found its owner in Mailfire, a company that provides online marketing tools.
VpnMentor researchers said the database stores copies of push notifications that various online sites send to their users through Mailfire push notification service.
Push notifications are real-time messages that businesses can send to smartphone or browser users who have opted out of receiving such messages.
The leaked database stored over 882 GB of log files relating to push notifications sent through the Mailfire service, with the logs updated in real time as new notifications were sent.
In total, vpnMentor said the log files contained details of 66 million individual notifications sent in the previous 96 hours, with personal details for hundreds of thousands of users.
vpnMentor, which analyzed the data leaked during the search for the owner of the database, said it found notifications belonging to more than 70 websites.
Some of the sites where e-commerce stores and Africa classifieds networks are located; however, the vast majority of notifications came from domains related to dating sites.
These dating sites promised men the opportunity to find a young female partner in various parts of the world, such as Eastern Europe or East Asia.
Most of these sites used visual designs and while using different domains seemed to be part of a larger network.
Without a doubt, the notifications sent by this network of dating sites were just spam, trying to get users to come back to the site, claiming that a new user had sent them a message.
But while spamming users with push notifications isn’t much of a problem, especially if users agreed to receive those messages, the problem was that personal data was involved as well.
From copies of the exposed newspapers seen by ZDNet, the leaking Elasticsearch server not only contained copies of the notifications, but it also included a “debugging” area where the personal information of the user receiving the notification was also included.
Some of the data we found in these debug fields included names, age, gender information, email addresses, general geographic locations, and IP addresses.
In addition, the notifications also contained links to the user’s profile, in case the user clicked or tapped on the notification. These links also contained authentication keys, meaning anyone with that URL could have accessed a user’s profile on the dating site without needing a password.
Anyone who had found this database in the past few weeks could have known the identities of users who signed up on these dating sites and accessed their profiles to read private messages or view past connections.
As vpnMentor researchers pointed out, this leaking server was an impending disaster. If this data leaked online, users of these sites would most likely face extortion attempts, similar to how Ashley Madison users facing blackmail attempts for years. These extortion attempts have had serious consequences for Ashley Madison users, some suicide after their personal love life was exposed to the public.
Mailfire did not return a request for comment. Some of the dating sites we found on the leaking server included Kismia, Julia Dates, Emilie Dates, Asian melodies, Ukrainian charm, Asian charm, JollyRomance, OneAmour, ValenTime, Rondevo, Victoria Brides, Loveeto, Oisecret, WetHunt, Cum2Date, Jolly.me, and many more.