Controversial dating site Beautiful People has been breached and a trove of sensitive data on over one million of its members leaked onto the cyber underground for sale, according to reports.
The data, which apparently includes all the things you’d expect from a dating site – including sexual preferences, email addresses, phone numbers and salary information – could be useful in follow-up scams and phishing attacks.
It appears to have been taken from an unsecured MongoDB database being used as a test server, yet populated with real users’ information.
Security researcher Chris Vickery told Wired that he found the database without password protection. Although the dating site was informed and claimed to have addressed the flaw - just before Christmas last year - it appears that a black hat had already lifted the treasure trove of personal data.
For its part, Beautiful People claimed in a statement that it was informing all affected users about the breach, as it did back in December 2015.
It added:
“The breach involves data that was provided by members prior to mid July 2015. No more recent user data or any data relating to users who joined from mid July 2015 onward is affected.”
The site is unusual, and somewhat controversial, in requesting members to vote on the attractiveness of others on the platform. In fact, it claims that “existing members hold the key to the door.”
The breach is nowhere near as bad – both in the volume and type of data exposed – as the Ashley Madison hack, but it could still put over a million users at risk from follow-on attacks.
As for MongoDB – configurations of the NoSQL database have been found wanting on numerous occasions in the past when it comes to security.
Most notable of these was just this week when Vickery again revealed a database containing the details of around 90 million Mexican voters had been left publicly accessible on an Amazon cloud server.
For its part, MongoDB argued that the fault was with users of the database who had incorrectly configured it.
There is no security issue with MongoDB - extensive security capabilities are included with MongoDB,” said vice president of strategy, Kelly Stirman, in a statement emailed to Infosecurity.
“We encourage all users to follow the guidelines we prescribe for security. Security best practices are summarized here, or customers can contact MongoDB support. This is an important opportunity for everyone to ensure they are following security best practices.”
Rob Norris, director of enterprise & cyber security EMEIA at Fujitsu, claimed recent research by his firm revealed just 9% of consumers think UK organizations are doing enough to protect their data.
“This means that organizations must not only ensure that they are using every possible method to protect customer data – from data encryption to robust firewalls – but they need to truly remain transparent with customers to instill confidence when it comes to data security,” he added.