More than 2.28 million members of the online dating site MeetMindful have reportedly been caught up in a wide-ranging data breach that exposes everything from Facebook tokens to physical characteristics.
The ShinyHunters hacking group has stolen and published the personally identifiable (PII) data of MeetMindful users. The data has been made available as a free download on a “publicly accessible hacking forum known for its trade in hacked databases,”.
In total the data makes up a 1.2 GB file, which has 1,500 views in the public forum. How many times it has been downloaded is unknown.
MeetMindful combines a dating platform with a focus on wellness, life-coach articles, “intentional living” tips and musings on spirituality.
The file collects the information together that MeetMindful users provided when they registered to use the service and set up their profiles. Thus, it includes names; emails; city, state and ZIP codes; dating preferences; birth dates; marital status; IP addresses; and Bcrypt-protected account passwords, according to the researcher’s findings. However, other potentially more sensitive information is also included for some users, like dating preferences; “body details”; and even latitude and longitude. To boot, Facebook user IDs and authentication tokens are part of the harvest as well.
Numerous Attacks Possible
Security researchers noted that dating apps in particular represent a highly attractive target for cybercriminals.
“Cyberattackers are increasingly targeting individuals on dating platforms across both mobile and desktop,” Hank Schless, senior manager of Security Solutions at Lookout, told Threatpost. “They’re doing this because these apps are a treasure trove of personal data that require lots of device permissions such as location, access to the camera and access to contacts in order to work.”
This particular breach comes on the tail of Interpol’s warning of financial scams being carried out in dating apps, he noted.
“Each of these incidents shows that there’s no one way that attackers seek to attack dating app users,” he said. “Both app developers and users need to be wary of the risks involved with trusting so much personal data to mobile apps. App developers need to embed security into their mobile apps and keep their infrastructure security up to date as malicious tactics evolve. App users should be careful about how they interact with people on dating apps and have a mobile security app installed that keeps them safe. Social-engineering is a common tactic to phish users, get them to share personal information, or convince them to download a malicious app.”
There’s also a sextortion trend of leveraging sexual preferences and other highly personal information found in dating platforms against the user.
“Attackers realize that individuals may be willing to pay a high price to keep these personal details from being widely distributed,” Schless said. “Lookout recently discovered a sextortion campaign called Goontact that targeted users of illicit sites, typically offering escort services, to steal personal data from their mobile phone.”
ShinyHunters Strikes Again
The site’s data was released by a well-known steal-and-leak actor known as ShinyHunters. The group made a splash last May, allegedly compromising 73.2 million user records from more than 11 companies worldwide, including online delivery services like Homechef, photo-print service ChatBooks, and Chronicle.com, a news source for higher education.
The largest ShinyHunters heist involved stealing log-in data for 91 million users of Indonesia’s largest e-commerce platform, Tokopedia, and then selling it on the dark web for $5,000.
The group also last year claimed that it broke into Microsoft’s GitHub account and stole 500 GB of data from the tech giant’s own private repositories on the developer platform.
Last week, the group leaked details 12.8 million Teespring users, a web portal that lets users create and sell custom-printed apparel. They offered the data for free, in what researchers said was a likely sabotage of another data broker’s deal.
Cloud Environments in Hacker Crosshairs
It’s unclear how ShinyHunters were able to access the site’s data, but cybersecurity expert and CTO of Cymulate Avihai Ben-Yossef suspects a cloud misconfiguration.
“The attacker ShinyHunters…has a penchant for going after cloud-first companies — those who put their infrastructure in the cloud from the outset,” he said via email. “There is much to be done to shore up cloud hygiene – multifactor authentication, good certificate and identity store management, better configuration and account control, better segmentation of the workloads, etc.; alongside continuous security assessment.”
Schrader noted, “Little seems to be known about the attack itself, but it should not come as a surprise if they missed out on all basic security control about vulnerabilities, patching, change control and File Integrity Monitoring.”