A database belonging to an online marketing company has been found exposed online, with most of the records relating to users of adult dating websites.

Discovered by researchers at vpnMentor and publicized today, the 882-gigabyte database was traced to a company called Mailfire that primarily offers email marketing tools along with complementary services such as application push notifications.

The database is believed to have affected at least several hundred thousand users across more than 70 websites. Data exposed included notification contents, personally identifiable data, private messages, authentication tokens and links, and mail content.

The database was found exposed on an unsecured Elasticsearch server Aug. 31 and vendors were contacted Sept. 3. The database was taken offline the same day Mailfare was contacted.

The sites affected were mostly adult dating websites, including a dating site for meeting Asian women, a premium international dating site targeting an older demographic, one for people who want to date Colombians and more similar sites connecting men and women in different parts of the world. Data from some general e-commerce sites were also found in the exposed database.

Notably, live data was being updated to the database when it was discovered, including some 370 million records for 66 individual notifications sent in the preceding 96 hours.

Mailfire took responsibility for the data breach and told the researchers that none of the companies exposed in the database was in any way responsible. Clients of Mailfire were said to have been informed of the data breach Sept. 4.

Whether companies affected by the breach have informed their users is another matter. Mailfire doesn’t provide a full list of its clients, but one site, a dating site called Kismia, appears to have not disclosed the data breach, at least publicly.

There’s always a question around whether bad actors have accessed exposed databases prior to their being discovered, but in this case the answer is in the affirmative. According to the researchers, the server where the database was discovered had already been successfully attacked before, with the Meow hacking group believed to be responsible.

As with all data breaches of this type, the risk is that the data can be used for nefarious purposes. This attack may affect only dating customers in the hundreds of thousands, but there is certainly precedent here: the hack and subsequent release of data belonging to the cheating website Ashley Madison in 2015. In that case, users were extorted with threats that their activities would be exposed both at the time and even now, five years later.

Image: Kismia