Sexually explicit pictures, audio recordings and private conversations shared in dating apps, such as SugarD and Herpes Dating, have been exposed online.
Security researchers discovered unprotected Amazon Web Services ‘buckets’ with over 20 million files linked to hundreds of thousands of users.
Although no ‘personally identifiable information’ was visible, experts note that a determined hacker could reveal a user through photos and other available information.
It is not known if the data was accessed by anyone else, but the team says there is enough to commit fraud, extortion and viral attacks on the apps’ members.
Sexual explicit pictures, audio recordings and private conversations belonging to users of dating apps, such as SugarD and Herpes Dating, have been exposed online. Security researchers discovered unprotected Amazon Web Services ‘buckets’ with over 20 million files linked to hundreds of thousands of users
The unsecured buckets were discovered by security researchers at vpnMentors, which uncovered the exposed data May 24 – but the buckets appear to have been secured since.
The team found a total of 845 gigabytes of data, which included over 20 million files.
The data belonged to nine dating apps that cater to special groups and interests, including: 3somes, Cougary, Gay Daddy Bear, Xpal, BBW Dating, Casualx, Sugar D, Herpes Dating, GHunt and a few others.
DailyMail.com has contacted a few of the dating apps listed in the leak and has yet to receive a response.
The data included screenshots of financial transactions between users and private conversations
After tracing the buckets, the team found that they originated from the same source –many of them listed ‘Cheng Du New Tech Zone’ as the developer on Google Play.
The buckets included photos, many of a sexual nature, along with screenshots of private conversations, audio recordings and financial transactions.
Although none of the data contained ‘personally identifiable information,’ the researchers found photos with visible faces, users’ names, personal and financial data that could all be used to unmask an individual.
‘For ethical reasons, we never view or download every file stored on a breached database or AWS bucket,’ the vpnMentor team shared in blog post.
‘As a result, it’s difficult to calculate how many people were exposed in this data breach, but we estimate it was at least 100,000s – if not millions.’
Although no ‘personally identifiable information’ was visible, experts note that a determined hacker could reveal a user through photos and other available information.
Some of the apps allow users to send payments for different services and the screenshots pertaining to a transaction were in the leaked data
The team also notes that this was not a hack, but a careless way of storing sensitive information online.
‘The users of the apps exposed in this data breach would be particularly vulnerable to various forms of attack, bullying, and extortion,’ they wrote on the website.
‘While the connections being made by people on ‘sugar daddy,’ group sex, hook up, and fetish dating apps are completely legal and consensual, criminal or malicious hackers could exploit them against users to devastating effect.’
After tracing the buckets, the team found that they originated from the same source –many of them listed ‘Cheng Du New Tech Zone’ as the developer on Google Play. They also noticed that most of the dating apps had the same layout
‘Using the images from various apps, hackers could create effective fake profiles for catfishing schemes, to defraud and abuse unwary users.’
Nina Alli, executive director of the Biohacking Village at Defcon and biomedical security researcher, told Wired: ‘It’s so difficult to navigate. How much trust are we putting into apps to feel comfortable putting up that sensitive data—STD information, videos.’
‘This is a detrimental way to out someone’s sexual health status. It’s not something to be ashamed of, but there’s stigma, because it’s easier to yuck at someone else’s proclivities.’
‘When it comes to STD status the outing of this data would mean that other people won’t want to get tested. That is a big peril of this situation.’