Blog

Five Applications Leaked Millions Of Users’ Sensitive Data. Were You Infected?

WizCase’s IT researchers recently discovered data breaches and privacy breaches on five different dating apps in the United States and East Asia.
These violations display damaged user data and sensitive information, such as name, billing address, phone number, personal data, and even private/direct messages.
Further information proves that there are millions of leaked configuration files, and the Elasticsearch servers, MongoDB databases and AWS buckets hosting these databases can be publicly accessed without password protection or security verification.

Applications and sites involved in data breaches:

  • CatholicSingles

According to a WizCase blog post in the United States, CatholicSingles leaked sensitive user information, including their name, email address, phone number, age, occupation, education level, and billing address. Make sure that the data of the user’s physical characteristics (such as hair, eye color, and Internet activity) has also been destroyed.
Even more shocking is that users’ payment methods are also easily available, putting them at risk. This dating site is specially created for singles who are seeking faith-based partners.

  • YESTIKI

Another American dating application YESTIKI.com that TIKI Interactive displayed on the app store leaked 4,300 user records, which eventually reached 352MB through the MongoDB server. Data breaches include the user’s real name, phone number, GPS location, activity log, etc.

  • Blurry

The Korean app called Blurry exposed 70,000 records through the Elasticsearch server. The app has been installed by more than 50,000 users and is available in the iTunes app store.
However, this violation resulted in the use of the platform to exchange private messages. Some of these messages contain confidential information, such as Instagram handles and phone numbers.

  • Congdaq/Kongdaq

Another Korean application named Congdaq/Kongdaq created by SPYKX.com exposed 123,000 (600MB) user records through the Elasticsearch server. Data leaks result in users’ private but sensitive information, including clear text passwords, gender, date of birth, and GPS location.

  • Charin and Kyuun

In addition, two dating apps in Japan are called Charin and Kyuun, and although they suspect they belong to the same company, they expose 102,000,000 (57GB) customer records. The design of both applications is similar, and violations result in the use of the same unprotected Elasticsearch server.
The public data includes the user’s email address, clear text password, ID, mobile device information and their personal preferences.
Further investigations conducted by WizCase revealed that six other unsecured servers exposed information about users of dating apps. However, they cannot find the origin. The company believes that data breaches and leaks may be through a process called “web crawling.”
Web crawling is the process of collecting and storing information provided by users. But this is not limited to websites, the same analogy also applies to technology and agreements.

How to ensure data security?
The best way to protect data is to be vigilant and pay attention to data when registering on any website, including dating apps. Also, do not use the same password for each account or social media handle.
Make sure to choose a password that is difficult to crack or complex. In addition, the information you provide through these applications should be minimal. Be careful to provide your home address, phone number and even photos.

Share with

Leave a Reply

Start typing and press Enter to search

Shopping Cart

No products in the cart.

Need Help? Chat with us