Security researchers at Wizcase recently discovered data leaks and privacy breaches on five separate dating apps that are popular in the US and East Asia. These breaches revealed user data and sensitive information such as names, billing information, phone numbers, profiles, and even private messages. Further research shows that the leaked information was due to publicly exposed Elastisearch servers, MongoDB databases, and AWS buckets. The five sites involved are:
- CatholicSingles, based in the US, leaked information included usernames, email addresses, phone numbers, age, occupation, education, billing addresses, physical profiles, and user payment information.
- Yestiki, another US-based dating app, leaked around 4,300 user records that include users’ real names, phone numbers, GPS location, activity logs, and more.
- Blurry, a South Korean app, exposed 70,000 records via an Elastisearch server which included private messages, Instagram handles, and phone numbers.
- Congdaq/Kongdaq, another South Korean app, exposed 123,000 user records via an Elastisearch server that included sensitive information such as cleartext passwords, gender, dates of birth, and GPS location.
- Charin and Kyunn, two apps based in Japan, leaked around 102 million records from an unprotected Elastisearch server that contains the same type of information as the others.