MobiFriends Data Breach: Expert Commentary

MobiFriends, a popular dating app, announced it suffered a data breach today impacting more than 3.6 million users. The data obtained from this breach includes email addresses, passwords, gender information and phone numbers. Additionally, the stolen passwords were encrypted with MD5, a weak hashing function.

Experts Comments

May 11, 2020
Ben Goodman
Senior Vice President, Global Business and Corporate Development
ForgeRock
It is always troubling to hear about passwords being stolen in a data breach, especially when the stolen passwords are hashed with MD5,which is infamous for no longer being cryptographically secure. Passwords and usernames have been the primary method of authenticating users for years. However, to ease the pain of remembering multiple sets of login credentials, users fall into the practice of reusing the same username and password combination across all accounts, personal and professional. If .....Read More
It is always troubling to hear about passwords being stolen in a data breach, especially when the stolen passwords are hashed with MD5,which is infamous for no longer being cryptographically secure. Passwords and usernames have been the primary method of authenticating users for years. However, to ease the pain of remembering multiple sets of login credentials, users fall into the practice of reusing the same username and password combination across all accounts, personal and professional. If login credentials are stolen in one data breach, the password reuse problem increases the odds of additional accounts being compromised, opening windows for bad actors to access more sensitive credentials. Even with a password manager, there is still a password and username combination being used to log in to applications, which means it can still be attacked by a bad actor who gains access to the information. As a result, four out of five global data breaches are caused by weak or stolen passwords. In today’s advanced digital age, we are moving toward a passwordless future. With biometrics or push notifications, organizations can bring the same effortless authentication users experience on their smartphones (with technologies like Apple’s FaceID or Samsung’s Ultrasonic Fingerprint scanner) to every digital touchpoint. Not only does this ensure security, but it also provides users with frictionless, secure digital experiences. The technology to eliminate the password for good exists, organizations just need to take the first step.  Read Less
May 11, 2020
Scott Gordon
CMO
Pulse Secure
The MobiFriends breach is noteworthy beyond fueling to the ever-growing volume of consumer PII and login credentials available on the dark web. As consumers often recycle passwords, the enterprise can be at-risk from account takeover attacks. Passwords alone are no longer adequate to verify user access. Keep in mind that personal and corporate emails accounts were exposed in this MobiFriends breach. With increased BYOD and work-from-home adoption, acceptable usage policy enforcement is.....Read More
The MobiFriends breach is noteworthy beyond fueling to the ever-growing volume of consumer PII and login credentials available on the dark web. As consumers often recycle passwords, the enterprise can be at-risk from account takeover attacks. Passwords alone are no longer adequate to verify user access. Keep in mind that personal and corporate emails accounts were exposed in this MobiFriends breach. With increased BYOD and work-from-home adoption, acceptable usage policy enforcement is paramount to ensure delineation between work and personal apps, and information. In addition to user awareness training, it is crucial for organizations to amplify their Zero Trust security efforts by invoking multi-factor authentication and corporate workspace segregation technologies to mitigate enterprise data breaches.  Read Less
May 11, 2020
Robert Prigge
CEO
Jumio
By exposing 3.6 million user email addresses, mobile numbers, gender information and app/website activity, MobiFriends is giving criminals everything they need to execute identity theft and account takeover. Cybercriminals can easily obtain these details, pretend to be the real user and commit online dating scams and attacks, such as catfishing, extortion, stalking and sexual assault. Because online dating sites often facilitate in-person meetings between two people, organizations need to make.....Read More
By exposing 3.6 million user email addresses, mobile numbers, gender information and app/website activity, MobiFriends is giving criminals everything they need to execute identity theft and account takeover. Cybercriminals can easily obtain these details, pretend to be the real user and commit online dating scams and attacks, such as catfishing, extortion, stalking and sexual assault. Because online dating sites often facilitate in-person meetings between two people, organizations need to make sure users are who they claim to be online – both in initial account creation and with each subsequent login. Passwords (even if hashed) can easily be guessed or discovered, rendering them inadequate to keep dating app accounts (or any account, for that matter) secure. As online dating fraud continues to grow in popularity, businesses must implement stronger means of user authentication, such as biometric authentication (using a person’s unique traits to confirm identity), to protect users’ real-world safety and personal information.  Read Less
May 12, 2020
Anurag Kahol
CTO
Bitglass
Dating apps and sites store massive troves of personally identifiable information (PII) on users, including email addresses, birth dates, genders, and more. Any security complication could result in a devastating breach or leak that would leave victims vulnerable to highly tailored phishing attacks and identity theft for years to come. In this MobiFriends incident, users’ passwords were also exposed--this is particularly concerning as people commonly reuse passwords across multiple platforms. .....Read More
Dating apps and sites store massive troves of personally identifiable information (PII) on users, including email addresses, birth dates, genders, and more. Any security complication could result in a devastating breach or leak that would leave victims vulnerable to highly tailored phishing attacks and identity theft for years to come. In this MobiFriends incident, users’ passwords were also exposed--this is particularly concerning as people commonly reuse passwords across multiple platforms. In fact, a staggering 65% of people use the same password for multiple or all of their accounts. As just one step in trying to control the damage, impacted users should change their passwords on all of the accounts where they used these now exposed credentials. In general, consumers must make it a habit to diversify their login credentials across different accounts if they are to mitigate the chances of their accounts being hijacked. How the data was accessed by attackers is still unknown; regardless, organisations must have complete visibility and control over their data to identify and remediate any vulnerabilities that could be exploited. Additionally, real-time protections are now more critical than ever due to privacy regulations such as GDPR and CCPA. To prevent similar incidents and safeguard customer data, organisations must leverage multi-faceted solutions that enforce real-time access control, detect misconfigurations, encrypt sensitive data at rest, manage the sharing of data with external parties, and prevent data leakage. They must also verify their users with tools like multi-factor authentication to validate their identities before granting them access to their systems.  Read Less
May 12, 2020
Vinay Sridhara
CTO
Balbix
Poor credential protection is a wide-spread issue, and time over again, we see breaches reoccur that expose millions of users’ account information due to the lack of simple security measures. Online applications such as MobiFriends that require users to create accounts and that collect personal customer data must at the very least implement basic cyber hygiene. Despite being a consumer application, this hack should be very concerning for the enterprise. Since 99% of employees reuse.....Read More
Poor credential protection is a wide-spread issue, and time over again, we see breaches reoccur that expose millions of users’ account information due to the lack of simple security measures. Online applications such as MobiFriends that require users to create accounts and that collect personal customer data must at the very least implement basic cyber hygiene. Despite being a consumer application, this hack should be very concerning for the enterprise. Since 99% of employees reuse passwords between work and personal accounts, the leaked passwords, protected only by the very outdated MD5 hash, are now in the hackers' hands. Even worse, it appears that at least some MobiFriends employees used their work email addresses as well, so it's entirely likely that full login credentials for employee accounts are amongst the nearly 4 million sets of compromised credentials. In this case, the compromised user credentials could unlock nearly 10 million accounts due to rampant password reuse. A recent Balbix report found that the average password is reused 2.7 times, and the average user is sharing 8 passwords between work and personal accounts. Once a password is breached, one or more corresponding passwords have also been breached. For MobiFriends, this should be a wake-up call to ensure a strong security posture. Appropriate encryption and a strong multifactor authentication strategy for access to all customer data must be adopted to properly protect user data. For the enterprise, this breach is yet another reminder that implementing a solid identity strategy can avoid the pitfalls of employee password reuse.  Read Less
May 12, 2020
Trevor Morgan
Product Manager
comforte AG
Email addresses, usernames and hashed passwords are examples of valuable information. Therefore, it is no surprise that hackers are targeting data apps like MobiFriends, which has around four million users, because they hold so much critical information. There is no guaranteed way to prevent hackers from accessing this data, but there are solutions that protect the valuable information itself. Although the MobiFriends passwords were hashed, companies should look to deploy data security tactics .....Read More
Email addresses, usernames and hashed passwords are examples of valuable information. Therefore, it is no surprise that hackers are targeting data apps like MobiFriends, which has around four million users, because they hold so much critical information. There is no guaranteed way to prevent hackers from accessing this data, but there are solutions that protect the valuable information itself. Although the MobiFriends passwords were hashed, companies should look to deploy data security tactics such as tokenization where sensitive information is rendered completely unusable for unauthorized access rather than merely a challenge to decipher. Implementing a solution such as tokenization is part of a larger data-centric strategy to be very proactive with sensitive data, to protect it immediately upon collection and then only de-protecting it when absolutely necessary within a controlled internal environment. The tools and processes of data-centric security go hand-in-hand.  Read Less
May 12, 2020
Chris DeRamus
VP of Technology Cloud Security Practice
Rapid7
Within the last year, we’ve seen a number of dating apps and sites suffer from major security incidents, such as Heyyo, 3Fun, and Coffee Meets Bagel. These online dating platforms collect and store extremely sensitive information on their users, making them an attractive target to data-hungry cybercriminals. MobiFriends has exposed personal data on millions of users including email addresses, mobile numbers, dates of birth, gender information, and app activity as well as account usernames.....Read More
Within the last year, we’ve seen a number of dating apps and sites suffer from major security incidents, such as Heyyo, 3Fun, and Coffee Meets Bagel. These online dating platforms collect and store extremely sensitive information on their users, making them an attractive target to data-hungry cybercriminals. MobiFriends has exposed personal data on millions of users including email addresses, mobile numbers, dates of birth, gender information, and app activity as well as account usernames and passwords. The leaked data and compromised credentials are more than enough information for cybercriminals to launch sophisticated phishing and brute-force attacks against all impacted users. This is especially concerning given that so many users lack strong password hygiene across personal and work accounts. To keep customer data and credentials protected from malicious actors, organizations must implement advanced cloud security measures. Companies such as MobiFriends should follow the principle of least-privileged access when provisioning identity and access management (IAM) permissions by providing checks to restrict identities from being able to access more than they are granted. This can be accomplished by employing automated security tools that continuously protect systems and servers from IAM vulnerabilities, as well as misconfigurations, policy violations, and other threats to ensure holistic security and compliance. Additionally, organizations should implement multi-factor authentication (MFA) for all users, securely manage service accounts and their corresponding keys, and enforce best practices for the use of audit logs and cloud logging roles  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.