Current and past members of the Guardian Soulmates dating site in the UK are finding themselves targeted with creepy, sexually explicit spam messages that contain personalized information from their profiles.
Guardian News & Media has confirmed that email addresses and user IDs for the paid site have been exposed, although a hack is likely not to blame.
"We can confirm we have received 27 enquiries from our members which show evidence of their email addresses used for their Soulmates account having been exposed," a spokeswoman told the BBC. “Our ongoing investigations point to a human error by one of our third-party technology providers, which led to an exposure of an extract of data.”
That data was picked up by nefarious actors and used to craft messages using information from users' profiles, such as relationship preferences and physical descriptions.
"I basically had been receiving spam […] directly referencing information that could only have come from the Soulmates database," one user told the BBC. "It's all information that I was happy to put online at one point anyway, but when it's used outside of context like that it does feel a lot more creepy."
Marco Cova, senior security Researcher at Lastline, noted via email that the incident is a good reminder that every breach reveals data that criminals can use to launch additional attacks.
“They merge data from multiple sources, building dossiers on potential victims, including spear phishing targets", he said. “The information that they gather does not have to be highly confidential in order to create successful attacks. Every breach is a reminder of the importance of strong authentication measures in both personal and professional devices, networks and web applications.”
The exposure apparently occurred last year, according to victims, with one saying they first contacted Soulmates six months ago about the spam.
Guardian News & Media said it would review its third-party practices, and the UK’s Information Commissioner's Office (ICO) said it is "aware of a potential incident involving Guardian Soulmates and will be looking into the details.”
As for what’s next for victims, Cova cautioned that they should be careful not to fall for phishing attacks—and to keep personal devices off enterprise networks.
“The blurring of personal and professional use of enterprise assets such as laptops underscores the criticality of protecting organizations from the network core to the outer edges against advanced persistent threats and evasive malware that could be introduced as a result of an infected personal device targeted as a result of a prior data breach,” he said. “Data breaches provide a distribution hub for malware for years to come.”