Security experts on the news that online dating app, Heyyo has left a server exposed on the internet, without a password. The Elasticsearch database, exposed the personal details, images, location data, phone numbers, and dating preferences for nearly 72,000 users, believed to be the app’s entire userbase. The exposed server allowed anyone with a web browser to contact some of the users whose phone numbers were included in the database.
#SonicWall Dating app Heyyo appears to have left their entire userbase exposed online after a live server without a password was found by security researchers. via ZDNet https://t.co/DehrKcbE8A #breach
— Dachel (@dachelc) September 25, 2019
Another unsecure Elasticsearch engine, another dating app data breach. Servers should never be left without authentication or a password. This is just basic cybersecurity hygiene but unfortunately for companies using default or misconfigured security settings, data breaches are becoming a regular occurrence and this is just the latest example.
The data leaked exposes users to a host of security threats, which could leave them vulnerable to scammers. Threats range from identify theft, catfishing, blackmail, sexual harassment to phishing. Users should be cautious about the information they share on dating apps and stay alert to any suspicious activity or interactions.
With the power of data analytics also comes great responsibility – unfortunately something that many organizations still fail to fully grasp, even after numerous breaches. This most recent breach at Dealer Leads is also evidence that unsecured or misconfigured NoSQL instances continue to be prevalent, as the virtual low-hanging fruit for cybercriminals. Instead of remaining sanguine, it’s time for organizations to face reality and act to secure their data. This starts with following best practices for configuration, something that is widely available for each platform, as well as implementing data-centric security to protect and deidentify data – something that is designed to be analytics friendly and strongly protects the data regardless of what it is stored in, who has possession of it, or whether the system or perimeter is compromised.
While this is by no means the first time we’ve seen personal information leaked from a dating app, in fact just earlier this year the data from multiple dating apps were found to be stored on a leaky database, the breadth of information leaked in this case is startling. Beyond names, phone numbers, emails and other PII information the leaked data also included how people were utilizing the app and the interactions they had on there.
Leaky databases and administrative misconfigurations are becoming a regularity, and it’s a relatively simple problem to fix. Too often, private information is collected, yet the collecting organization doesn’t monitor or protect who has access to the data, when the data is viewed, or whether the data has been stolen. In this case, the leaky server was brought to the attention of the company behind the app, yet they took no action to secure it. This is particularly worrying if you are storing user data, you are responsible for ensuring that data is protected.
Heyyo’s user database breach occurred because the information was left on a server without a password – another egregious lapse in security which is fueling the cybercrime market on the dark web. By exposing its users’ personal details, images, phone numbers dating preferences and location data, Heyoo is giving criminals everything they need to perpetrate identity theft and account takeover. In 2019, we have seen an increase in online dating scams and attacks, such as catfishing, extortion, stalking and sexual assault. Because online dating sites often facilitate in-person meetings between two people, organizations need to make sure users are who they claim to be online – both in initial account creation and with each subsequent login. As online dating fraud continues to escalate, businesses must implement stronger means of user authentication for online dating sites, such as face-based biometric authentication, to protect users’ real-world safety and personal information.
Like countless other organizations, Heyyo has left an Elasticsearch server unprotected, without a password exposing highly sensitive user data. The exposed information included user location, meaning that bad actors could leverage this info to stalk impacted users, in addition to other cyberattacks like sophisticated phishing attacks. The dangers of exposing consumer information are not just limited to the internet – there are very real risks to physical safety.
Consumers put their trust in companies by allowing them to collect and store their information. To honor the trust of app users and customers, organizations must be diligent in ensuring their data is protected with proper security controls. Database misconfigurations have proven time and time again to be the Achilles’ Heel of many organizations that have suffered data breaches this year, yet there are very simple and highly effective solutions available to prevent this. Automated cloud security solutions can grant organizations the ability to detect misconfigurations and alert the appropriate personnel to correct the issue, or even trigger automated remediation in real-time so that Elasticsearch databases and other assets never have the opportunity to be exposed, even temporarily.