online dating app Heyyo has made the same mistake that thousands of companies have made before it — namely, it left a server exposed on the internet without a password.
This leaky server, an Elasticsearch instance, exposed the personal details, images, location data, phone numbers, and dating preferences for nearly 72,000 users, believed to be the app’s entire userbase.
The leaky server was brought to ZDNet‘s attention last week by security researchers from WizCase, who asked us to help investigate this security incident. After we verified the data’s authenticity by contacting some of the users whose phone numbers were included in the database, we’ve reached out to Heyyo to notify the company of the leak.
The Istanbul-based software company behind the app failed to respond to our inquiry for nearly a week, and the leaky server was only taken down today, after ZDNet reached out yesterday to Turkey’s Computer Emergency Response Team (CERT).
During the time it took us to secure the server, Heyyo’s backend leaked some of the most sensitive type of information online. The breadth of the leaked information is staggering, to say the least. Except for private messages, all other Heyyo user data was available on the company’s Elasticsearch server. This included the likes of:
- Phone numbers
- Email addresses
- Dates of birth
- Profile pictures and other images
- Facebook IDs for users who linked their profiles
- Instagram IDs for users who linked their profiles
- Longitude and latitude
- Who liked a user’s profile
- Liked profiles
- Disliked profiles
- Superliked profiles
- Blocked profiles
- Dating preferences
- Registration and last active date
- Smartphone details
Production server; not an old backup
During the time we looked at the database, it also became clear that the server was a live production system and not an older server used for tests or storing backups.
The number of registered users grew from 71,769 to 71,921 in the time we looked at the data. We also registered a test account, and we saw it appear on the server within seconds.
The presence of this information online, accessible in a database without a password, is a danger for all of the app’s users.
To show how intrusive the leak could be, we performed a simple test. We took the details of three random users, and in a few minutes, using Google search queries and simple OSINT (open-source intelligence) scripts downloaded from GitHub, we easily tracked down and linked the three users to their real-life identities, LinkedIn profiles, social media accounts, and even posts they made on niche internet forums.
Since we’re talking about a dating website, this type of information could be used for stalking or extorting users with information about their dating life and habbits. This is not a hypothetical scenario. These types of extortion campaigns have happened in the past, especially after the ashley madison data breach.
Currently, it is unclear if any malicious third-parties have also spotted Heyyo’s leaky server besides the WizCase crew, so we don’t know if anyone else might have downloaded all this information. Only an investigation from Heyyo’s staff could confirm if this data has fallen in the wrong hands,and if users are in any danger.
Heyyo now joins a long list of online dating services that have failed to secure servers. The list includes Ashley Madison, Jack’d, Grindr, Romeo, Recon, 3Fun, HaveAFling, HaveAnAffair, HookUpDating, and Luscious.
WizCase also has its own report on the leak, for additional reading.