Unprotected database exposes almost 42.5 million records from Chinese dating apps

• The exposed information includes users’ user names, ages, locations, and IP addresses.
• The exposed data belongs to a majority of American users.

What is the issue?

A security researcher named Jeremiah Fowler discovered an unprotected Elastic database that holds almost 42.5 million records of dating app users.

What information was exposed?

• The exposed information includes users’ user names, ages, locations, and IP addresses.
• The exposed data belongs to a majority of American users.

The security researcher checked the usernames in other forums and sites and identified most of the usernames. This implies that the majority of users have re-used their usernames across multiple accounts.

What are the dating apps mentioned in the database?

Fowler noted that the database was associated with multiple dating applications. Despite all apps using the same database for storing user data, they claim to be separate companies or individuals that do not have any link with each other. Some of the dating apps mentioned inside the leaky database include,

• Cougardating - Dating app for meeting cougars and spirited young men.
• Christiansfinder - Dating an app for Christian singles
• Mingler - an interracial dating app
• Fwbs (Friends with benefits)
• TS

The big picture

The security researcher was unable to notify the owner of the database or any of the dating apps as most of the apps were registered private and the only way to contact them is through their official apps. While the ‘Whois registration’ app has provided a fake address and phone number.

“I am not saying or implying that these applications or the developers behind them have any nefarious intent or functions, but any developer that goes to such lengths to hide their identity or contact details raises my suspicions. Call me old fashioned, but I remain skeptical of apps that are registered from a metro station in China or anywhere else,” the researcher said in a blog.

However, Fowler managed to send 2 notifications to email accounts that were connected to the domain registration but did not hear back from them.