A misconfigured database exposed the passwords and login details of 1.5 million people who have signed up for multiple dating websites.
The MacKeeper Security Research Center spotted an unprotected MongoDB instance owned by C&Z Tech Limited, a New Zealand-based company which operates several dating websites including haveafling.mobi, haveafling.co.nz, haveanaffair.co.nz, haveanaffair.mobi, and hookupdating.mobi as well as a few mobile applications.
The vulnerable NoSQL database solution contained the login details for over 1.5 million users, including their usernames and plaintext passwords. But it also included several bits of their personal information, including their weight, data of birth, race, height, gender, IP address, country of origin, and other pieces of information that might help users find partners for extramarital affairs.
MacKeeper notified C&Z Tech Limited customer support about the vulnerable NoSQL database solution. The dating site operator responded with an email in which it claimed the database contained only test data.
As quoted in a blog post published by MacKeeper:
“Thanks for letting us know, the MongoDB database was only live for a few hours as we were testing migrating data from SQL to MongoDB, so most of them were just dummy data with randomly generated emails and passwords, and not our live database, we shut down the database about an hour ago, and there’re no data breach, only you guys had detected it.”
MacKeeper doesn’t buy that explanation, probably because 1.5 million users’ information is a lot of data for a test database.
Fortunately, C&Z Tech Limited has taken MacKeeper’s findings to heart and secured the vulnerable database regardless.
If you use one of the services offered by C&Z Tech Limited, it would behoove you to change your passwords just in case someone made off with your login credentials.
But be warned. These types of sites are notorious for data breaches and other leaks of users’ information. Just look at what happened to Ashley Madison last year.
If history is any indication, this probably won’t be the last time we hear of dating websites leaking their users’ information.