UPDATED 23:25 EDT / SEPTEMBER 25 2019

SECURITY

Cyber rerun: Dating app Heyyo exposes user data on unsecured Elasticsearch database

Exposing user data on unsecured cloud storage has become a broken record this year, one that won’t stop playing. The latest one came today from Heyyo, an online adult dating app.

Discovered and publicized today by security researchers at WizCase, the breach involved Heyyo data found exposed on an unsecured Elasticsearch database. The data involved 77,000 users and included user names, email address, country, GPS location, gender, date of birth, dating history, sexual preferences, social media account details, phone number and in some cases occupation.

Users came from a broad range of countries, including the U.S., Turkey, Brazil, Germany, Portugal, Spain and several countries in Africa. The database was hosted on Digital Ocean, meaning that at least this time around, Amazon Web Services Inc. isn’t part of the story.

The database was eventually taken down but only after ZDNet contacted the company. It’s unknown if the data in the database was accessed by nefarious actors but the potential is there.

“Like countless other organizations, Heyyo has left an Elasticsearch server unprotected, without a password exposing highly sensitive user data,” Chris DeRamus, co-founder and chief technology officer of cloud security company DivvyCloud Corp., told SiliconANGLE. “The exposed information included user location, meaning that bad actors could leverage this info to stalk impacted users, in addition to other cyberattacks like sophisticated phishing attacks. The dangers of exposing consumer information are not just limited to the internet – there are very real risks to physical safety.”

Anurag Kahol, CTO of cloud access security broker Bitglass Inc., noted that the situation is happening far too often.

“Within the past month, we have seen millions of consumer records impacted in incidents involving Ecuador, Suprema, MoviePass and now Heyyo,” Kahol said. “This common theme of leaving email addresses, dates of birth, names and other sensitive information exposed makes users vulnerable to identity theft and phishing attacks both now and in the future. While there have been no reports of a cybercriminal actually accessing the data from these exposures, it often takes companies far too long to identify vulnerabilities – an open database may go undetected for several months.”

Robert Prigge, president of identity verification company Jumio Inc., noted that this kind of lapse in security is fueling the cybercrime market on the dark web, a shady part of the internet reachable with special software.

“In 2019, we have seen an increase in online dating scams and attacks, such as catfishing, extortion, stalking and sexual assault,” he said. “Because online dating sites often facilitate in-person meetings between two people, organizations need to make sure users are who they claim to be online – both in initial account creation and with each subsequent login.”

Moreover, he added, “As online dating fraud continues to escalate, businesses must implement stronger means of user authentication for online dating sites, such as face-based biometric authentication, to protect users’ real-world safety and personal information.”

Image: Google Play

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU