Report: Breach Exposes 100,000+ Users on Niche Dating Apps
Led by Noam Rotem and Ran Locar, vpnMentor's research team discovered a data breach exposing incredibly sensitive images from numerous niche dating and hook up apps.
The apps were built for people with alternative lifestyles and particular tastes, such as 'Cougars,' queer dating, fetishes, and group sex. At least one app was dedicated to people with STIs, such as herpes.
Based on our research, the apps share a common developer. As a result, user media from each app had been stored on a single Amazon Web Services (AWS) account.
Aside from exposing potentially millions of users of the apps to danger, the breach also exposed the various apps' entire AWS infrastructure through unsecured admin credentials and passwords.
Data Breach Summary
|Apps||3somes, CougarD, Gay Daddy Bear, Xpal, BBW Dating, Casualx, SugarD, Herpes Dating|
|Headquarters/Location||China and USA|
|Total size of data in gigabytes||845 GB|
|Total number of files||20,439,462|
|No. of people exposed||Estimated to be 100,000s|
|Geographical scope||US and other countries|
|Types of data exposed||Photos, incl. many of a graphic, sexual nature; Screenshots of private chats and financial transactions; Audio recording; Limited PII data|
|Potential impact||Fraud, doxing, blackmail, extortion, viral attack, and hacking|
|Data storage format||AWS S3 bucket|
Overview of Apps Affected
The misconfigured AWS account contained data belonging to a wide selection of niche and fetish dating apps.
Based on our research, it appears the apps share a common developer, for the following reasons:
- Gaydaddybear.com is hosted on the same AWS account as Ghuntapp.com
- Similar branding, web design, logos across multiple app websites
- Some of the apps list "Cheng Du New Tech Zone" as a developer on Google app store
The similarities in design for many of the apps are evident on their websites:
Timeline of Discovery and Owner Reaction
Sometimes, the extent of a data breach and the owner of the data are obvious, and the issue quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what's at stake or who's exposing the data.
Understanding a breach and its potential impact takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.
Some affected parties deny the facts, disregarding our research, or playing down its impact. So, we need to be thorough and make sure everything we find is correct and accurate.
In this case, the files from each app were stored on a misconfigured AWS S3 bucket, in a single, shared AWS account. The S3 buckets were named after the dating app from which they originated. We initially only reached out to one - 3somes - to present our findings.
3somes quickly replied, asking for additional details about the breach. We responded by providing the URL of their misconfigured bucket and mentioned that other buckets owned by their apparent sister companies were open too (without saying which ones).
While we didn't receive any further communication, the same day, all the buckets belonging to every other app were also secured, confirming our assumption about the common developer.
- Date discovered: 24th May 2020
- Date 3somes contacted: 26th May 2020
- Date of Response: 27th May 2020
- Date of Action: 27th May 2020
Example of Data Entries
The combined S3 buckets contained an enormous amount of data, with over 20 million files totaling 845 gigabytes.
The files were incredibly sensitive, uploaded from user accounts, and exposing details of user profiles and private conversations happening on the apps.
These included media files, such as:
- Images and photos
- Voice messages and audio recordings
Among the images and photos from users, the S3 buckets also contained screenshots that revealed a massive amount of sensitive information. These included:
- Private chats between users
- Evidence of financial transactions between users
- Thank you messages to sugar daddies
While the S3 buckets didn't contain any Personally Identifiable Information (PII) data, many of the media files, directly and indirectly, exposed various forms:
- Photos with faces visible
- Users' names
- Personal details
- Financial data
For ethical reasons, we never view or download every file stored on a breached database or AWS bucket. As a result, it's difficult to calculate how many people were exposed in this data breach, but we estimate it was at least 100,000s - if not millions.
The following images were taken from S3 buckets belonging to various apps on the AWS account. They have been edited to maintain users' privacy.
Data Breach Impact
While data from dating and hookup apps are always sensitive and private, the users of the apps exposed in this data breach would be particularly vulnerable to various forms of attack, bullying, and extortion.
While the connections being made by people on 'sugar daddy,' group sex, hook up, and fetish dating apps are completely legal and consensual, criminal or malicious hackers could exploit them against users to devastating effect.
Using the images from various apps, hackers could create effective fake profiles for catfishing schemes, to defraud and abuse unwary users.
Any exposed PII data creates much more significant risks to users. Given the nature of many of these apps - in some cases involving financial transactions, fetishes, and STIs - having your presence on the app made public could create immense stress in your personal life.
Aware of this, hackers could use images containing PII to find users on social media and threaten to 'expose' their activities in public, to friends and family. Unfortunately, this type of blackmail and extortion could prove incredibly profitable.
With so many users from each app exposed in the data breach, criminals would only need to convince a small number of people to pay them for a blackmail and extortion scheme to be successful.
In doing so, they could destroy many people's relationships and personal and professional lives.
Advice from the Experts
The developers of the dating apps could have easily avoided this breach if they had taken some basic security measures to protect the data exposed. These include, but are not limited to:
- Securing its servers.
- Implementing proper access rules.
- Never leaving a system that doesn’t require authentication open to the internet.
Any company can replicate the same steps, no matter its size.
For a more in-depth guide on how to protect your business, check out our guide to securing your website and online database from hackers.
Securing an Open S3 Bucket
It’s important to note that open, publicly accessible S3 buckets are not a flaw of AWS. They’re usually the result of an error by the owner of the bucket. Amazon provides detailed instructions to AWS users to help them secure S3 buckets and keep them private.
In the case of the dating apps, the quickest way to fix this error would be to:
- Make the bucket private and add authentication protocols.
- Follow AWS access and authentication best practices.
- Add more layers of protection to their S3 bucket to further restrict who can access it from every point of entry.
For App Users
If you use any of the apps featured and are concerned about how this breach might impact you, contact the developers directly to find out what steps they’re taking to protect your data.
To learn about data vulnerabilities in general, read our complete guide to online privacy.
It shows you the many ways cybercriminals target internet users, and the steps you can take to stay safe.
How and Why We Discovered the Breach
The vpnMentor research team discovered the breach in dating apps’ AWS account as part of a huge web mapping project. Our researchers use port scanning to examine particular IP blocks and test different systems for weaknesses or vulnerabilities. They examine each weakness for any data being exposed.
Our team was able to access this bucket because it was completely unsecured and unencrypted.
Whenever we find a data breach, we use expert techniques to verify the owner of the database.
As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. We reached out to the developers, not only to let them know about the vulnerability but also to suggest ways in which they could make their system secure.
These ethics also mean we carry a responsibility to the public. Users of the apps must be aware of a data breach that exposes so much of their sensitive data.
The purpose of this web mapping project is to help make the internet safer for all users.
We never sell, store, or expose any information we encounter during our security research.
About Us and Previous Reports
vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.
Our ethical security research team has discovered and disclosed some of the most impactful data leaks in recent years.
This has included an enormous data leak exposing credit cards, government IDs, and more belonging to millions of US citizens. We also revealed that a popular online learning platform compromised the privacy and security of people across the globe. You may also want to read our VPN Leak Report and Data Privacy Stats Report.
Editor's Note: An earlier version of this report listed Casualx, linked back to the suspected website for the app. However, As we cannot confirm the connection between the Casualx and the listed website directly, we have removed the link. Additionally, the original text contained a typo, listing Cougary, rather than CougarD, as one of the apps involved in the data breach.
[Publication date: 15th June 2020]