vpnMentor research team led by Noam Rotem and Ran Locar uncovered a security flaw that exposed sensitive information from several niche dating apps. Over 20 million files, including explicit pictures shared by users, were released in the breach. Initial investigation of the exposed data reveals that the apps share a common developer because of common storage infrastructure and app design. The compromised apps targeted people with alternative lifestyles and released sensitive data, including sexual fetishes, dating preferences, and sexually transmitted diseases. The source of the leak was a misconfigured Amazon Web Services account, and it was unclear whether any hacker had accessed the information before vpnMentor discovered the security flaw.
List of niche dating apps affected by the breach
The breach affected niche dating apps catering to people with alternative lifestyles, sexual preferences, and fetishes. Some of the niches cater for by the apps include Cougars, group sex, queer dating, BBW Dating, and STI dating such as herpes. Apps affected by the breach included 3somes, Cougary, Gay Daddy Bear, Xpal, BBW Dating, Casualx, SugarD, Herpes Dating, GHunt among others.
The nature of the leak indicates the niche dating apps belonged to or share a common developer. The design of the apps suggests that the developer cloned one dating app to create different versions for various niches. Some apps, such as Gaydaddybear.com and Ghuntapp.com, also share the same AWS account for storage. Similarly, the apps exhibit the same design, logos, and branding across various websites. Some of the niche dating apps also listed Cheng Du New Tech Zone as the developer on Google Play Store.
The security researchers discovered the data breach as part of a web mapping project. The company regularly scans random ports and IP segments to check for system vulnerabilities on the internet. The exposed data was totally unsecured and unencrypted, according to vpnMentor.
On uncovering the data leak, vpnMentor reached out to one of the affected niche dating apps, 3somes, which responded by requesting more information. vpnMentor provided a link to the misconfigured AWS S3 bucket without mentioning other apps affected by the data breach. However, all the other apps were secured simultaneously, confirming earlier assumptions of a common origin.
The nature of the information contained in the exposed data
The niche dating apps breach exposed data amounting to 845 gigabytes and exposed over 20 million files, affecting hundreds of thousands to millions of users. The files leaked were uploaded from users’ profiles and contained sensitive information, including personal details and private conversations.
The exposed data also included multimedia information such as audio recordings and voice messages, photos taken and uploaded by the niche dating apps users and screenshots shared during private conversations. The screenshots contained information such as the evidence of financial transactions and thank you messages to sugar daddies. Part of the personally identifiable information (PII) exposed online included names, personal details, financial data, and pictures revealing users’ faces.
Apart from the user details, the exposed data also compromised the apps’ cloud infrastructure, which could allow hackers to access to the company’s resources and use them to carry further attacks. Such a provision could allow criminals to hide their identities by using the hijacked cloud platform.
The risk posed by leaking alternate lifestyle data
The exposed data may be very lucrative for cybercriminals, given the sensitivity of sexual information and health status. Criminals could use the data for blackmail, extortion, doxing, and bullying. Such information could be used to defame individuals and devastate their families, careers, and entire lives. Information involving financial transactions, fetishes, and STIs could be used to humiliate the victims and even lead to murder or suicide.
Criminals could also use the information for financial fraud, creating fake profiles for catfishing as well as gathering information from other niche dating apps users.
Many users of the apps exposed would do anything, including sliding into debt to pay hackers, to ensure the exposed data never leak to the public.