Dating App Says Stolen Data Was Sold on Dark Web

Written by

In the aftermath of multiple reports that millions of stolen records were dumped on the dark web, the dating app Coffee Meets Bagel confirmed that the accounts of approximately six million users were compromised in a breach, according to a Coffee Meets Bagel (CMB) spokesperson.

The company also said that the stolen data was indeed part of the trove of records that were sold by a malicious actor on the dark web marketplace, Dream Market. A Dubsmash spokesperson wrote that on February 8, 2019, the company learned of a data security incident that involved the sale of stolen user information.

In an email sent to Infosecurity, the spokesperson wrote, “With online dating, people need to feel safe. If they don't feel safe, they won't share themselves authentically or make meaningful connections. We take that responsibility seriously, so we informed our community as soon as possible – regardless of what calendar date it fell on – about what happened and what we are doing about it.

“We can confirm that approximately six million users were impacted. Beyond emails and names, no other CMB user information was compromised. This was part of a larger breach affecting 620 million accounts that got leaked across 16 companies.”

After the dark web vendor removed the first round of listings that were up for sale and noted, “All my listings have been removed, to avoid them being bought so many times and being leaked, as a respect for my buyers. But don’t worry, next round of breaches coming soon.”

Dream Market vendor profile
Dream Market vendor profile

Infosecurity also received confirmation from Dubsmash that the company learned of a data security incident that involved the sale of stolen user information on February 8, 2019.

“Dubsmash also launched an investigation and engaged independent, third-party cybersecurity experts to provide assistance. The investigation is ongoing. Dubsmash responded by notifying the potentially affected users and providing information to assist them.

“Dubsmash takes the security of all user information very seriously and is taking steps to prevent similar events from occurring in the future. We are continuing to strengthen security measures to ensure our networks and systems are secure,” says Dubsmash’s president, Suchit Dash. “We deeply regret any issues or concerns this incident may have caused our users.”

Password reuse is one issue that has led to numerous data breaches, according to Aaron Zander, head of IT at HackerOne. “That password we used hundreds of times in the early 2000s has come back to haunt us. Users can protect themselves with password managers, but it’s up to the operators of websites and apps to prevent themselves from becoming test-beds for valid credentials,” Zander said.

What’s hot on Infosecurity Magazine?