A group of researchers from Mackeeper, a security firm have identified a database belonging to a company that operates multiple dating apps and websites, that was leaking data online. Altogether, the exposed database contained over 1.5 million user records.
It is an incident that draws parallels with the now-infamous Ashley Madison breach. A New Zealand-based dating company called C&Z Tech Limited that runs a number of ‘hookup’ websites and dating apps including HaveAFling.mobi, HaveAnAffair.mobi, haveafling.co.nz, among others, has been revealed to be leaking data from an unprotected database.
Unlike the Ashley Madison breach, this database was simply unsecured and was accessible to anyone, Mackeeper discovered.
The database contained over 1.5 million users’ data. This included usernames and passwords – in plain text. Other information included height, weight, date of birth, gender, race, IP and country, among others.
Alarmingly, the database was unsecured for nearly a day, before MacKeeper Security reached out to the company to inform them of the glaring vulnerability.
To this, a response came from a source simply named “Edward”, who stated:
Thanks for letting us know, the MongoDB database was only live for a few hours as we were testing migrating data from SQL to MongoDB, so most of them were just dummy data with randomly generated emails and passwords, and not our live database, we shut down the database about an hour ago, and there’re no data breach, only you guys had detected it.
That stance changed quickly when online publication ZDNet reached out to the New Zealand company. This time, an employee going by “Anton” replied:
While we acknowledge the data breach, but only a small number of users were affected. This data leak was from one of our test databases, the majority of data were dummy data and were randomly generated, and the vulnerability was immediately remediated.
Despite such claims, an analysis of a sample database acquired by the publication revealed that the “dummy data” was, in fact, real data belonging to real users of the services.
Suffice to say, another day, another data breach.
Image credit: Pexels.