Information relating to millions of users of data sites have been found exposed online in yet another case of misconfigured cloud storage.

Discovered late last week by security researchers at WizCase, the exposed records span up to 11 different dating services, with five identified: Catholic Singles, SPYKX, TESTIKI, the Blurry dating app and Charincharin/Kyuun-Kyuun.

Data found on the exposed databases included real names, billing addresses, email addresses, phone numbers, private messages and more. In the cases of SPYKX, a South Korean dating site and CharinCharin from Japan the databases also included clear text passwords. The amount of data exposed across the identified sites ranged from 3,700 records for SPYKX through to 102 million records for CharinCharin.

Six databases discovered by the researchers included similar data but were unable to be properly identified. The researchers note that the data could have been scraped from other sites, but some of the data does not appear to be from internet-facing pages. At least some of the data in these databases was linked to users on dating sites Zhenai, Say Love, Netease, Love Chat and Companion.

In most cases, the data was found on ElasticSearch databases that had not been set to private, although in one case data was found on an unsecured MongoDB database and in another case an unsecured Amazon Web Services Inc. S3 bucket. No matter which, the exposure of personally identifiable information puts users are risk of phishing, account hijacking and in some cases blackmail.

The news comes after vpnMentor report June 15 that detailed a similar data breach involving misconfigured cloud storage that likewise exposed PII belong to millions of users across a range of niche dating sites.

“ElasticSearch databases are probably the primary sources of data leaks because of misconfigurations when set up,” Colin Bastable, chief executive officer of security awareness training company Lucy Security AG, told SiliconANGLE. “For example, the front end UI is often secured with authentication but admins forget that the default port 9200 is also visible and accessible online, meaning that unprotected ElasticSearch databases can leak data via the backdoor.”

Having built the database, the developers probably forgot all about patching it, he added, focusing on the front end’s ease-of-use to drive user engagement and subscriber growth. “Or perhaps the original architect is no longer employed,” he said. “Regardless, they dropped the ball.”

Matt Rose, director of application security at application security testing company Checkmarx Ltd., noted that despite hosting users’ more sensitive information, including private messages and partner preferences, dating apps continue to make headlines due to security issues.

“Given that there is a rapidly-growing list of similar data exposure incidents, it begs the question about the underlying cause,” he said. “Is it that security is just not a priority for small development shops, or does the additional cost of security testing make the development efforts too expensive for smaller, niche organizations? In either case, flexible, cost-effective solutions exist to help enforce regular application security testing, secure databases and prevent future similar incidents.”

Image: Catholic Singles