Expert Comment: Heyyo Dating App Leaked Users’ Personal Data, Photos etc.

By   ISBuzz Team
Writer , Information Security Buzz | Sep 25, 2019 06:38 am PST

Security experts on the news that online dating app, Heyyo has left a server exposed on the internet, without a password. The Elasticsearch database, exposed the personal details, images, location data, phone numbers, and dating preferences for nearly 72,000 users, believed to be the app’s entire userbase. The exposed server allowed anyone with a web browser to contact some of the users whose phone numbers were included in the database.

Notify of
7 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Robert Ramsden Board
September 26, 2019 2:42 pm

Another unsecure Elasticsearch engine, another dating app data breach. Servers should never be left without authentication or a password. This is just basic cybersecurity hygiene but unfortunately for companies using default or misconfigured security settings, data breaches are becoming a regular occurrence and this is just the latest example.

The data leaked exposes users to a host of security threats, which could leave them vulnerable to scammers. Threats range from identify theft, catfishing, blackmail, sexual harassment to phishing. Users should be cautious about the information they share on dating apps and stay alert to any suspicious activity or interactions.

Last edited 4 years ago by Robert Ramsden Board
Warren Poschman
Warren Poschman , Senior Solutions Architect
September 26, 2019 2:36 pm

With the power of data analytics also comes great responsibility – unfortunately something that many organizations still fail to fully grasp, even after numerous breaches. This most recent breach at Dealer Leads is also evidence that unsecured or misconfigured NoSQL instances continue to be prevalent, as the virtual low-hanging fruit for cybercriminals. Instead of remaining sanguine, it’s time for organizations to face reality and act to secure their data. This starts with following best practices for configuration, something that is widely available for each platform, as well as implementing data-centric security to protect and deidentify data – something that is designed to be analytics friendly and strongly protects the data regardless of what it is stored in, who has possession of it, or whether the system or perimeter is compromised.

Last edited 4 years ago by Warren Poschman
Terry Ray
Terry Ray , Senior Vice President and Fellow
September 26, 2019 1:50 pm

While this is by no means the first time we’ve seen personal information leaked from a dating app, in fact just earlier this year the data from multiple dating apps were found to be stored on a leaky database, the breadth of information leaked in this case is startling. Beyond names, phone numbers, emails and other PII information the leaked data also included how people were utilizing the app and the interactions they had on there.

Leaky databases and administrative misconfigurations are becoming a regularity, and it’s a relatively simple problem to fix. Too often, private information is collected, yet the collecting organization doesn’t monitor or protect who has access to the data, when the data is viewed, or whether the data has been stolen. In this case, the leaky server was brought to the attention of the company behind the app, yet they took no action to secure it. This is particularly worrying if you are storing user data, you are responsible for ensuring that data is protected.

Last edited 4 years ago by Terry Ray
Robert Prigge
September 26, 2019 1:49 pm

Heyyo’s user database breach occurred because the information was left on a server without a password – another egregious lapse in security which is fueling the cybercrime market on the dark web. By exposing its users’ personal details, images, phone numbers dating preferences and location data, Heyoo is giving criminals everything they need to perpetrate identity theft and account takeover. In 2019, we have seen an increase in online dating scams and attacks, such as catfishing, extortion, stalking and sexual assault. Because online dating sites often facilitate in-person meetings between two people, organizations need to make sure users are who they claim to be online – both in initial account creation and with each subsequent login. As online dating fraud continues to escalate, businesses must implement stronger means of user authentication for online dating sites, such as face-based biometric authentication, to protect users’ real-world safety and personal information.

Last edited 4 years ago by Robert Prigge
Chris DeRamus
Chris DeRamus , VP of Technology Cloud Security Practice
September 26, 2019 1:47 pm

Like countless other organizations, Heyyo has left an Elasticsearch server unprotected, without a password exposing highly sensitive user data. The exposed information included user location, meaning that bad actors could leverage this info to stalk impacted users, in addition to other cyberattacks like sophisticated phishing attacks. The dangers of exposing consumer information are not just limited to the internet – there are very real risks to physical safety.

Consumers put their trust in companies by allowing them to collect and store their information. To honor the trust of app users and customers, organizations must be diligent in ensuring their data is protected with proper security controls. Database misconfigurations have proven time and time again to be the Achilles’ Heel of many organizations that have suffered data breaches this year, yet there are very simple and highly effective solutions available to prevent this. Automated cloud security solutions can grant organizations the ability to detect misconfigurations and alert the appropriate personnel to correct the issue, or even trigger automated remediation in real-time so that Elasticsearch databases and other assets never have the opportunity to be exposed, even temporarily.

Last edited 4 years ago by Chris DeRamus

Recent Posts

Would love your thoughts, please comment.x