Three misconfigured Amazon Web Services (AWS) S3 buckets leaking highly sensitive information from multiple dating apps and websites were discovered by vpnMentor researchers on May 25.
According to a report published June 16, the S3 buckets contained 845 gigabytes of data, with over 20 million files containing sensitive information from user accounts, including:
• Images and photos
• User names, personal details and financial data
• Voice messages and audio recordings
• Private chats between users
• Evidence of financial transactions
The bundle includes a variety of niche dating platforms such as 3somes, CougarD, Xpal, SugarD, GHunt and many more. Additionally, aside from the overflow of personal and highly sensitive user information, the misconfigured databases also exposed apps infrastructure through unsecured admin credentials and passwords.
“For ethical reasons, we never view or download every file stored on a breached database or AWS bucket. As a result, it’s difficult to calculate how many people were exposed in this data breach, but we estimate it was at least 100,000s – if not millions,” researchers said. “As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. We reached out to the developers, not only to let them know about the vulnerability but also to suggest ways in which they could make their system secure.”
The data leak could have devastating effects for users. Malicious actors can leverage the treasure trove of sensitive info for various forms of extortion and bullying, which could potentially turn into another AshleyMadison disaster. More than 30 million users were exposed following the 2015 data breach on the pro-adultery website, and blackmail scams were still resurfacing nearly 5 years after bad actors posted a data dump containing sensitive data on users.
In the hands of seasoned cyber-criminals, the data can be used for more than just catfishing scams. Using the variety of information as a bargaining chip, blackmailers can start a profitable business. Nobody wants their secrets exposed on social media or to family and friends.
“With so many users from each app exposed in the data breach, criminals would only need to convince a small number of people to pay them for a blackmail and extortion scheme to be successful,” researchers warned. “In doing so, they could destroy many people’s relationships and personal and professional lives.”