New Delhi: Personal details of hundreds of thousands of users on over 70 adult dating and some e-commerce websites worldwide have been exposed online, security researchers said on Sunday.
The cybersecurity research team at vpnMentor which is world’s largest VPN review website found that the hacked websites were using the “same marketing software built by email marketing company Mailfire”.
“The software in question had been compromised through an unsecured Elasticsearch server, exposing people all over the world to dangers like identity theft, blackmail and fraud,” the report mentioned.
Upon further investigation, it turned out that some of the sites exposed in the data leak were scams, set up to trick men looking for dates with women in various parts of the world.
The leaky database that stored more than 882GB of log files was taken offline on September 3 after vpnMentor researchers tracked it down.
Each of the millions of notifications contained valuable and sensitive Personally Identifiable Information (PII) data for people using the affected websites to send and receive messages.
The leaked data revealed included full names, age and date of birth, gender, email addresses, locations of senders, IP addresses, profile pictures uploaded by users and profile bio descriptions.
Aside from the PII data, the leak also exposed conversations happening between users on dating sites affected.
“Mailfire acted immediately and secured the server within a few hours. Mailfire assumed full responsibility and insisted that the companies exposed were in no way responsible at all — and our research has also confirmed this to be true,” the report said.
Among the websites affected included a dating site for meeting Asian women, a premium international dating site targeting an older demographic.
It also appeared that many of the websites shared common owners.
“At the beginning of our investigation, the server’s database was storing 882.1 GB of data from the previous four days, containing over 370 million records for 66 million individual notifications sent in just 96 hours,” the vpnMentor research team said.
“This is an absolutely massive amount of data to be stored in the open, and it kept growing. Tens-of-millions of new records were uploaded to the server via new indices each day we were investigating it”.
Anyone who would have found this database would have been able to learn the identities of users who signed up on these dating sites and access their profiles to read private messages or see past connections, reports ZDNet.