[German]It's a huge data leak caused by niche dating apps. Security researchers have found out that the apps provide user data publicly on the Internet – we are talking about 845 GB.
Advertising
I have already had the information for a few days. Security researchers from vpnMentor, led by Noam Rotem and Ran Locar, have discovered this data leak. A collection of apps is responsible for collecting the data. The applications are designed for people with alternative lifestyles and special preferences, such as cougars, queer dating, fetishes and group sex. At least one app was dedicated to people with venereal diseases like herpes. Here are the names of various apps:
- 3somes
- CougarD
- Gay Daddy Bear
- Xpal
- BBW Dating
- Casualx
- SugarD
- Herpes Dating
- GHunt
Based on the research of security researchers, the applications have a common developer. As a result, the user data from each application was stored on a single Amazon Web Services (AWS) account. And this 845 GB data collection was accessible via the Internet without protection.
Hundreds of thousands, if not millions of users of more than eight dating apps are affected. The data leak includes over 20 million files created by these apps. Although the security researchers did not find names and email addresses in the files, they did find photos of faces and very intimate information about the app users. The researchers have found the following data:
- Pictures and photos
- Voice messages and audio recordings
Among the pictures and photos of users, the S3 buckets also contained screenshots that revealed a large amount of sensitive information. These included:
- Private chats between users
- supporting documents for financial transactions between users
- Thank you messages to Sugar Daddies
The S3 buckets did not contain PII (Personally Identifiable Information) data. However, these can often be determined directly and indirectly from media files. Here are examples:
Advertising
- Photos with visible faces
- Names of the users
- Personal details
- Financial data
Security researchers estimate that there are at least 100,000, if not millions of users affected. The data is stored in the USA and other countries. The open AWS S3 bucket was discovered on 24 May 2020, the developer 3somes was contacted on 26 May 2020 and replied on 27 May. At the same time the data leak was closed on 27 May 2020. Further details can be read in this article.
