MobiFriends, a popular dating app, announced it suffered a data breach today impacting more than 3.6 million users. The data obtained from this breach includes email addresses, passwords, gender information and phone numbers. Additionally, the stolen passwords were encrypted with MD5, a weak hashing function.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
Dating apps and sites store massive troves of personally identifiable information (PII) on users, including email addresses, birth dates, genders, and more. Any security complication could result in a devastating breach or leak that would leave victims vulnerable to highly tailored phishing attacks and identity theft for years to come. In this MobiFriends incident, users’ passwords were also exposed–this is particularly concerning as people commonly reuse passwords across multiple platforms. In fact, a staggering 65% of people use the same password for multiple or all of their accounts. As just one step in trying to control the damage, impacted users should change their passwords on all of the accounts where they used these now exposed credentials. In general, consumers must make it a habit to diversify their login credentials across different accounts if they are to mitigate the chances of their accounts being hijacked.
How the data was accessed by attackers is still unknown; regardless, organisations must have complete visibility and control over their data to identify and remediate any vulnerabilities that could be exploited. Additionally, real-time protections are now more critical than ever due to privacy regulations such as GDPR and CCPA. To prevent similar incidents and safeguard customer data, organisations must leverage multi-faceted solutions that enforce real-time access control, detect misconfigurations, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent data leakage. They must also verify their users with tools like multi-factor authentication to validate their identities before granting them access to their systems.
Poor credential protection is a wide-spread issue, and time over again, we see breaches reoccur that expose millions of users’ account information due to the lack of simple security measures. Online applications such as MobiFriends that require users to create accounts and that collect personal customer data must at the very least implement basic cyber hygiene.
Despite being a consumer application, this hack should be very concerning for the enterprise. Since 99% of employees reuse passwords between work and personal accounts, the leaked passwords, protected only by the very outdated MD5 hash, are now in the hackers\’ hands. Even worse, it appears that at least some MobiFriends employees used their work email addresses as well, so it\’s entirely likely that full login credentials for employee accounts are amongst the nearly 4 million sets of compromised credentials.
In this case, the compromised user credentials could unlock nearly 10 million accounts due to rampant password reuse. A recent Balbix report found that the average password is reused 2.7 times, and the average user is sharing 8 passwords between work and personal accounts. Once a password is breached, one or more corresponding passwords have also been breached.
For MobiFriends, this should be a wake-up call to ensure a strong security posture. Appropriate encryption and a strong multifactor authentication strategy for access to all customer data must be adopted to properly protect user data. For the enterprise, this breach is yet another reminder that implementing a solid identity strategy can avoid the pitfalls of employee password reuse.
Email addresses, usernames and hashed passwords are examples of valuable information. Therefore, it is no surprise that hackers are targeting data apps like MobiFriends, which has around four million users, because they hold so much critical information.
There is no guaranteed way to prevent hackers from accessing this data, but there are solutions that protect the valuable information itself. Although the MobiFriends passwords were hashed, companies should look to deploy data security tactics such as tokenization where sensitive information is rendered completely unusable for unauthorized access rather than merely a challenge to decipher.
Implementing a solution such as tokenization is part of a larger data-centric strategy to be very proactive with sensitive data, to protect it immediately upon collection and then only de-protecting it when absolutely necessary within a controlled internal environment. The tools and processes of data-centric security go hand-in-hand.
Within the last year, we’ve seen a number of dating apps and sites suffer from major security incidents, such as Heyyo, 3Fun, and Coffee Meets Bagel. These online dating platforms collect and store extremely sensitive information on their users, making them an attractive target to data-hungry cybercriminals.
MobiFriends has exposed personal data on millions of users including email addresses, mobile numbers, dates of birth, gender information, and app activity as well as account usernames and passwords. The leaked data and compromised credentials are more than enough information for cybercriminals to launch sophisticated phishing and brute-force attacks against all impacted users. This is especially concerning given that so many users lack strong password hygiene across personal and work accounts.
To keep customer data and credentials protected from malicious actors, organizations must implement advanced cloud security measures. Companies such as MobiFriends should follow the principle of least-privileged access when provisioning identity and access management (IAM) permissions by providing checks to restrict identities from being able to access more than they are granted. This can be accomplished by employing automated security tools that continuously protect systems and servers from IAM vulnerabilities, as well as misconfigurations, policy violations, and other threats to ensure holistic security and compliance.
Additionally, organizations should implement multi-factor authentication (MFA) for all users, securely manage service accounts and their corresponding keys, and enforce best practices for the use of audit logs and cloud logging roles
It is always troubling to hear about passwords being stolen in a data breach, especially when the stolen passwords are hashed with MD5,which is infamous for no longer being cryptographically secure. Passwords and usernames have been the primary method of authenticating users for years. However, to ease the pain of remembering multiple sets of login credentials, users fall into the practice of reusing the same username and password combination across all accounts, personal and professional.
If login credentials are stolen in one data breach, the password reuse problem increases the odds of additional accounts being compromised, opening windows for bad actors to access more sensitive credentials. Even with a password manager, there is still a password and username combination being used to log in to applications, which means it can still be attacked by a bad actor who gains access to the information. As a result, four out of five global data breaches are caused by weak or stolen passwords.
In today’s advanced digital age, we are moving toward a passwordless future. With biometrics or push notifications, organizations can bring the same effortless authentication users experience on their smartphones (with technologies like Apple’s FaceID or Samsung’s Ultrasonic Fingerprint scanner) to every digital touchpoint. Not only does this ensure security, but it also provides users with frictionless, secure digital experiences.
The technology to eliminate the password for good exists, organizations just need to take the first step.