It's painfully common for data to be exposed online. But just because it happens so often that doesn't make it any less dangerous. Especially when that data comes from a slew of dating apps that cater to specific groups and interests.
Security researchers Noam Rotem and Ran Locar were scanning the open internet on May 24 when they stumbled upon a collection of publicly accessible Amazon Web Services "buckets." Each contained a trove of data from a different specialized dating app, including 3somes, Cougary, Gay Daddy Bear, Xpal, BBW Dating, Casualx, SugarD, Herpes Dating, and GHunt. In all, the researchers found 845 gigabytes and close to 2.5 million records, likely representing data from hundreds of thousands of users. They are publishing their findings today with vpnMentor.
The information was particularly sensitive and included sexually explicit photos and audio recordings. The researchers also found screenshots of private chats from other platforms and receipts for payments, sent between users within the app as part of the relationships they were building. And though the exposed data included limited "personally identifying information," like real names, birthdays, or email addresses, the researchers warn that a motivated hacker could have used the photos and other miscellaneous information available to identify many users. The data may not have actually been breached, but the potential was there.
"We were amazed by the size and how sensitive the data was," Locar says. "The risk of doxing that exists with this kind of thing is very real—extortion, psychological abuse. As a user of one of these apps you don’t expect that others outside the app would be able to see and download the data."
As the researchers traced the exposed S3 buckets they realized that all of the apps seemed to come from the same source. Their infrastructure was fairly uniform, the websites for the apps all had the same layout, and many of the apps listed "Cheng Du New Tech Zone" as the developer on Google Play. On May 26, two days after the initial finding, the researchers contacted 3somes. The next day, they got a brief response, and all of the buckets were locked down simultaneously.
WIRED reached out to 3somes and Herpes Dating and attempted to reach Cheng Du New Tech Zone, but did not receive a reply.
This was not a hack; it was sloppily stored data. The researchers don't know whether anyone else discovered the exposed trove before they did. That's always crux of the issue with data exposures: mistakenly making data accessible is at best an inconsequential mistake, but at worst can hand hackers a data breach on a silver platter. And in the case of this cadre of dating apps in particular, the information could have a real impact on user safety if it was stolen before the developer locked it down. So many breaches contain data like email addresses and passwords, which is bad enough. But when data leaks from sites like Ashley Madison, Grindr, or Cam4 it creates the potential for doxing, extortion, and other dire online abuse. In this case, Herpes Dating could even potentially reveal someone's health status.
"It's so difficult to navigate. How much trust are we putting into apps to feel comfortable putting up that sensitive data—STD information, videos," says Nina Alli, executive director of the Biohacking Village at Defcon and biomedical security researcher. "This is a detrimental way to out someone’s sexual health status. It's not something to be ashamed of, but there's stigma, because it's easier to yuck at someone else’s proclivities. When it comes to STD status the outing of this data would mean that other people won't want to get tested. That is a big peril of this situation."