We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.
Advertising Disclosure

vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

Report: Dating App Leaks Explicit User Messages & Other Private Data

vpnMentor Research Team Cybersecurity and Research Lab

vpnMentor’s research team recently discovered a data leak of dating app JCrush’s database.

Security researchers Noam Rotem and Ran Locar - key members of vpnMentor’s research team - discovered the breach, which exposed up to 200,000 users’ PII, preferences, and (sometimes explicit) private conversations within the JCrush app. JCrush is part of the Crush Mobile family of dating apps (1.5 millions users), which was acquired in 2018 by Northsight Capital, Inc. (OTCQB: NCAP).

Our team discovered 18.454 GB of unencrypted records on the Mongo database. As of publishing, the database is no longer accessible and the leak seems to have been stopped.

Editor's note: Neither vpnMentor nor the security research team wanted anyone to exploit this data, which is why we immediately contacted JCrush upon its discovery. We did not look deeply into any of the leaked data; our team simply found and confirmed its existence.

Timeline of Discovery and Reaction

Data Breach Discovered May 30, 2019
vpnMentor Team Contacted JCrush May 31, 2019
Data Leak Fixed May 31, 2019
No reply from JCrush; Contacted Northsight Capital June 2, 2019
Northsight Capital Replied June 4, 2019

Information Included in the Database

The severity of this leak is impactful, due to the nature of the data released. Included in the leak were all of the private correspondence between users, unencrypted. Many of these conversations were laden with explicit messages and also private details, along with personally identifying information.

In addition to the private messages among JCrush users were additional data, including full profiles and photos, private media, Facebook profiles and tokens, and more.

So, what does this mean in real-world terms? From the leak, we found sensitive user data and correspondence that includes:

  • First and Last names of users
  • Email addresses
  • Facebook tokens, which can be used for log in
  • Full user profiles
  • Profile pictures
  • Private - sometimes very intimate - messages and sensitive photos sent in those messages
  • How many ‘swipes’ a user received per month
  • When and where they last logged in from

JCrush - according to their Privacy Policy - records and stores the following data on their users, all of which were susceptible in this latest breach:

  • FOUND Users’ mobile device unique ID numbers
  • FOUND Users’ mobile device geographic locations while the app is actively running
  • FOUND Users’ computer IP addresses
  • FOUND Technical information about users’ computers or mobile devices (such as type of device, web browser or operating system)
  • FOUND User preferences and settings (time zone, language, privacy preferences, product preferences, etc.)
  • FOUND The URL of the last web page users visited before coming to the JCrush site
  • FOUND The buttons, controls and ads users clicked on (if any)
  • FOUND How long users used JCrush and which services and features users have used
  • FOUND The online or offline status of JCrush

The Impact of the Data Leak

While going over the data, we stumbled upon the full user details and messages of multiple government employees, including those employed by the US National Institute of Health, US Veterans Affairs, the Brazilian Ministry of Labor and Employment, the UK’s cultural department, Israel's Justice Department, and more. This leak easily puts those individuals and any others similarly in a public role at risk for extortion by malicious hackers.

JCrush offers a special ‘incognito mode,’ where users can pay a premium to hide their profile to all users until they have ‘swiped right’ on them. This leak can potentially expose those who wish to remain anonymous in their dating endeavors - including individuals in the public spotlight or members who are married.

This data breach sheds light on the kind of information that could be at risk for various cyber threats, illustrating how it can impact the lives of hundreds of thousands of individuals who are vulnerable to the actions of digital criminals.

Other dating and hook-up apps, such as Tinder, admittedly record and store users’ private information and messages. This is a prime example of what can be made accessible to the public - with or without malintent.

How We Found the Data Breach

vpnMentor’s research team is currently undertaking a huge web mapping project. Using port scanning to examine known IP blocks reveals gaps in web systems, which are then examined for vulnerabilities, including potential data exposure and breaches.

Tapping into years of experience and know-how, the research team examines the database to confirm its identity.

After identification, we reach out to the database’s owner to report the leak. Whenever possible, we also alert those directly affected. This is our version of putting good karma out on the web – to build a safer and more protected internet.

Advice from the Experts

Could this data leak have been prevented? Absolutely! Companies can avoid such a situation by taking essential security measures immediately, including:

  1. First and foremost, secure your servers.
  2. Implement proper access rules.
  3. Never leave a system that doesn’t require authentication open to the internet.

For more in-depth information on how to protect your business, check out how to secure your website and online database from hackers.

Check Out More Data Leaks We’ve Discovered

vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.

We recently also discovered a hotel group’s cybersecurity data leak, as well as a data breach that exposed more than 80 million US households. You may also want to read our VPN Leak Report and Data Privacy Stats Report.

Please share this report on Facebook or tweet it.

We review vendors based on rigorous testing and research but also take into account your feedback and our affiliate commission with providers. Some providers are owned by our parent company.
Learn more
vpnMentor was established in 2014 as an independent site reviewing VPN services and covering privacy-related stories. Today, our team of hundreds of cybersecurity researchers, writers, and editors continues to help readers fight for their online freedom in partnership with Kape Technologies PLC, which also owns the following products: ExpressVPN, CyberGhost, and Private Internet Access which may be ranked and reviewed on this website. The reviews published on vpnMentor are believed to be accurate as of the date of each article, and written according to our strict reviewing standards that prioritize the independent, professional and honest examination of the reviewer, taking into account the technical capabilities and qualities of the product together with its commercial value for users. The rankings and reviews we publish may also take into consideration the common ownership mentioned above, and affiliate commissions we earn for purchases through links on our website. We do not review all VPN providers and information is believed to be accurate as of the date of each article.

About the Author

vpnMentor Research Lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.
Our ethical security research team has discovered and disclosed some of the most impactful data breaches in recent years.

Did you like this article? Rate it!
I hated it! I don't really like it It was ok Pretty good! Loved it!
out of 10 - Voted by users
Thank you for your feedback

Please, comment on how to improve this article. Your feedback matters!

Leave a comment

Sorry, links are not allowed in this field!

Name should contain at least 3 letters

The field content should not exceed 80 letters

Sorry, links are not allowed in this field!

Please enter a valid email address

Thanks for submitting a comment, %%name%%!

We check all comments within 48 hours to ensure they're real and not offensive. Feel free to share this article in the meantime.