Almost four million users of a popular Android dating app have had their personal and log-in data stolen by hackers, according to Risk Based Security.
The security vendor said it found the data on a prominent hacking forum — now free for anyone to access, although it had been previously up for sale.
It’s associated with nearly 3.7 million users of MobiFriends, a Barcelona-based dating app. The information was originally posted to the forum in January of this year by a threat actor named “DonJuji,” but is attributed to a breach in January 2019.
The data includes dates of birth, gender, website activity, mobile numbers, usernames, email addresses and MD5 hashed passwords.
“The MD5 encryption algorithm is known to be less robust than other modern alternatives, potentially allowing the encrypted passwords to be decrypted into plaintext,” warned Risk Based Security.
“Moreover, the data leak contains professional email addresses related to well-known entities including: American International Group (AIG), Experian, Walmart, Virgin Media and a number of other F1000 companies. This creates a notable risk of business email compromise as well as potential spear-phishing campaigns.”
MobiFriends has yet to respond to the researchers who found the data.
The number of records exposed in data breaches soared by 273% quarter-on-quarter to reach a record 8.4 billion in Q1 2020, according to Risk Based Security. However, the number of publicly reported incidents was down by 42% during the same period.
“The increase in records compromised was driven largely by one breach; a misconfigured Elasticsearch cluster that exposed 5.1 billion records. However, even if we adjusted for this incident, the number of records still increased 48% compared to Q1 2019,” said Inga Goddijn, executive vice-president at Risk Based Security.
“Hacking exposed an average of approximately 850,000 records per breach and most breaches originated from outside the organization. We are continually finding that simply meeting regulatory standards or contractual obligations does little to actually prevent a breach from occurring.”