Dating site MeetMindful has discovered that “a well-known hacker” has leaked the details of more than 2 million users registered its web site.
An unnamed security researcher tells ZDNet that the leaked data is a 1.2 GB file containing some highly-sensitive data points, like real name, email address, city, state and ZIP code, body details, dating preferences, marital status, birth date, latitude and longitude, IP address, bcrypt-hashed account passwords, Facebook user IDs and even Facebook authentication tokens.
The leaked data is more than enough to cause serious damage to customers enlisted with MeetMindful, exposing them to sextortion, fraud, and of course psychological damage.
To its credit, the dating site has promptly responded to the leak with a comprehensive security notification addressing affected users.
However, unlike the ZDNet’s source, MeetMindful seems to downplay the severity of the leak, claiming the attacker was only able to grab basic user data that was already outdated. It isn’t clear which version of the story is more accurate.
“A well-known hacker was able to exploit a now-closed vulnerability in our system, and was able to export an outdated version of a list of basic user information,” the company says.
It explains that the incident applies to users who signed up for MeetMindful prior to March 2020, and that users who signed up after March 2020, or have updated their account details since March 2020 are not affected by this incident.
It also mentions that MeetMindful is a fellow victim in a larger campaign targeting several companies, including it, Teespring.com, Bonobos, and others.
“We identified the vulnerability and immediately resolved it, as well as brought in additional development resources to ensure future safety,” according to the notice.
The company further claims that no payment information was viewed or released. The same goes for messages, profile answers, photos, favorites, user views, or any other personal information relating to matches, detailed match preferences, conversations and specific locations, it says.
As a precaution, all users are advised to reset their password “to add additional security to your account,” according to the company. MeetMindful also instructs users to be wary of emails or text messages asking for an account number or password (i.e. phishing / fraud attempts).
Users who have additional questions or detect suspicious activity on their account can contact the company at firstname.lastname@example.org.