A Chinese database has exposed 42.5 million user records that were mined from a range of popular dating apps.
The database was discovered by security researcher Jeremiah Fowler, who said it was not password protected and the majority of the records appeared to be from US users.
Worryingly, the data left exposed included users’ IP addresses, geolocation data, age and usernames.
Among the dating apps the information was pulled from include Cougardating, Christiansfinder, Mingler, Fwbs (friends with benefits) and TS Dating.
Fowler used the records of users’ ages, location and account names to identify them on other apps and services and verify they’re real.
‘Finding several of the users’ real identity was easy and only took a few seconds to validate them,’ Fowler wrote in a blog post breaking down his findings.
‘Nearly each unique username I checked appeared on multiple dating sites, forums, and other public places.
‘The IP and geolocation stored in the database confirmed the location the user put in their other profiles using the same username or login ID,’ he added.
Fowler attempted to contact the database owner to get it taken down, but his emails and calls went unanswered.
As a result, the database is still online and unsecured, but Fowler chose to disclose his findings in an attempt to generate user awareness, particularly for those who might have been swept up in the leak.
It’s not clear who owns the database. Fowler checked the site’s domain registration and found that a subway line in Lanzhou, China was listed as the owner’s address.
When he called a number associated with that address, a message said the phone had been disabled.
Fowler said he also attempted to contact the developers behind the apps but in many cases, the only way to find contact information was to download the app, which seemed risky.
‘I am not saying or implying that these applications or the developers behind them have any nefarious intent or functions, but any developer that goes to such lengths to hide their identity or contact details raises my suspicions,’ Fowler said.
‘Call me old fashioned, but I remain skeptical of apps that are registered from a metro station in China or anywhere else.’
While some personal data like usernames and locations was shared, Fowler noted that, luckily, no personally identifiable information was shared, which includes real names, physical addresses or social security numbers.