Sensitive personal information of some 1.5 million users of several dating/cheating websites and apps has been found to be accessible via the Internet. This information includes the users’ username, (plaintext) password, email address, gender, date of birth, country of residence and photos, as well as sexual preferences.
MacKeeper researchers found the unsecured MongoDB database and traced it to New Zealand-based company C&Z Tech Limited, which runs haveafling.mobi, haveafling.co.nz, haveanaffair.co.nz, haveanaffair.mobi, hookupdating.mobi and the mobile application “Hook Up Dating”.
After notifying them that the database is wide open for anyone to peruse, the company responded by thanking them for the heads-up, but claimed that it is mostly populated with dummy data, and that it was set up only to test migrating data from SQL to MongoDB.
But the researchers are sceptical about this claim. “We highly doubt this was ‘testing’ data based on the type of files exposed and the massive number of accounts,” they noted.
They have shared a small batch of the data they’ve copied from the leaking database with ZDNet reporters, and the latter have tried to establish whether it is actually dummy data or not.
As it turns out, at least some of it is legitimate. “A painstaking account-by-account analysis of a random selection of more than 300 records suggested that this was live user data,” Zack Whittaker noted.
Among those that got back to him when contacted is one user that said that he had deactivated his account, but now checked whether he can access it again, and he could. He was upset that the company kept his data, and stored it so insecurely.
An employee of C&Z Tech Limited told Whittaker that the majority of the data in the database was randomly generated, but that it also contained information about a small number of users, and that they will be notified, and their passwords reset.
One of these affected users sent Whittaker a security notice he received from the company, which said that the user is required to log in to his account and change his password.
The company obviously did not invalidate the potentially compromised passwords once they were notified of the leaking database, and what’s more, they simply told the user that the password reset requirement is due to them upgrading their system for security reasons.
Although this is more of a data leak and not a breach, New Zealand is a country where breach reporting is currently not mandatory.
“If the people could suffer harm and need to act to protect themselves, for instance by changing their passwords or monitoring their bank accounts for malicious activity, then you should probably tell them about the breach and steps you are taking to mitigate it,” New Zealand’s Privacy Commissioner’s Office explains.
“If there’s no likely consequences from the breach, or if telling people would cause more worry and harm than not telling them, it may be acceptable not to tell affected individuals.”
C&Z Tech Limited claims that only the researchers accessed the database, so there is no reason to worry.