The login details and passwords of 1.5 million people who have signed up for multiple dating websites and mobile application of a New Zealand-based online dating network have been exposed due to a misconfigured database.
The MacKeeper Security Research Center discovered an unsecured MongoDB instance owned by C&Z Tech Limited, a New Zealand-based company, which operates several dating websites such as haveafling.mobi, haveafling.co.nz, haveanaffair.co.nz, haveanaffair.mobi, hookupdating.mobi, but also a few mobile applications.
The exposed database included login details of over 1.5 million users with their complete credentials in plaintext form – username and password combinations as well as personal information. It also included several bits of their personal information, including their weight, data of birth, race, height, gender, IP address, country of origin, and other pieces of information that might help users find partners one night stands or finding partners for extramarital affairs. None of C&Z’s website listed a visible security alert on its website.
MacKeeper alerted C&Z Tech Limited customer support about the vulnerable NoSQL database solution, after which the latter went ahead and secured the database. The dating site operator responded with an email in which it claimed the database contained only test data. However, the MacKeeper team does not believe to be true, as 1.5 million users’ information is a lot of data for a test database.
“Thanks for letting us know, the MongoDB database was only live for a few hours as we were testing migrating data from SQL to MongoDB, so most of them were just dummy data with randomly generated emails and passwords, and not our live database, we shut down the database about an hour ago, and there’re no data breach, only you guys had detected it. ”
The database is a MongoDB instance, a NoSQL database solution that a few years back used a default configuration file for a few versions, which exposed the database to the Internet without an admin account password.
In the past, we have seen other dating sites suffer data breaches which include Ashley Madison, Fling.com, Mate1, and Beautiful People.
If you are using any one of the services offered by C&Z Tech Limited, it would be advisable for you to change your passwords to protect yourselves from abuse from malicious users who may have gotten away with your login credentials.