IT’S PAINFULLY COMMONfor data to be exposed online. But just because it happens so often that doesn’t make it any less dangerous. Especially when that data comes from a slew of dating apps that cater to specific groups and interests.
Security researchers Noam Rotem and Ran Locar were scanning the open internet on May 24 when they stumbled upon a collection of publicly accessible Amazon Web Services “buckets.” Each contained a trove of data from a different specialized dating app, including 3somes, Cougary, Gay Daddy Bear, Xpal, BBW Dating, Casualx, SugarD, Herpes Dating, and GHunt. In all, the researchers found 845 gigabytes and close to 2.5 million records, likely representing data from hundreds of thousands of users. They arepublishing their findingstoday with vpnMentor.
The information was particularly sensitive and included sexually explicit photos and audio recordings. The researchers also found screenshots of private chats from other platforms and receipts for payments, sent between users within the app as part of the relationships they were building. And though the exposed data included limited “personally identifying information,” like real names, birthdays, or email addresses, the researchers warn that a motivated hacker could have used the photos and other miscellaneous information available to identify many users. The data may not have actually been breached, but the potential was there.
“We were amazed by the size and how sensitive the data was,” Locar says. “The risk of doxing that exists with this kind of thing is very real—extortion, psychological abuse. As a user of one of these apps you don’t expect that others outside the app would be able to see and download the data.”
As the researchers traced the exposed S3 buckets they realized that all of the apps seemed to come from the same source. Their infrastructure was fairly uniform, the websites for the apps all had the same layout, and many of the apps listed “Cheng Du New Tech Zone” as the developer on Google Play. On May 26, two days after the initial finding, the researchers contacted 3somes. The next day, they got a brief response, and all of the buckets were locked down simultaneously.