Hacks, Nudes, and Breaches: It’s Been a Rough Month for Dating Apps

Credit to Author: Lily Hay Newman| Date: Fri, 15 Feb 2019 21:44:57 +0000

Dating is hard enough without the added stress of worrying about your digital safety online. But social media and dating apps are pretty inevitably involved in romance these days—which makes it a shame that so many of them have had security lapses in such a short amount of time.

Within days of each other this week, the dating apps OkCupid, Coffee Meets Bagel, and Jack'd all disclosed an array of security incidents that serve as a grave reminder of the stakes on digital profiles that both store your personal information and introduce you to total strangers.

"Dating sites are designed by default to share a ton of information about you; however, there's a limit to what should be shared," says David Kennedy, CEO of the threat tracking firm Binary Defense Systems. "And often times these dating sites provide little to no security, as we have seen with breaches going back several years from these sites."

OkCupid came under scrutiny this week after TechCrunch reported on Sunday that users have been dealing with a rise in hackers taking over accounts, then changing the account email address and password. Once this transition has happened, it's difficult for legitimate accounts owners to regain control of their profiles. Hackers then use those stolen identities for scams or harassment, or both. Multiple people who have dealt with this situation recently told TechCrunch that it was difficult to work with OkCupid to resolve the situations.

OkCupid is adamant that the hacks aren't a result of a data breach or security lapse at the dating service itself. Instead, the company says that the takeovers are the result of customers reusing passwords that have been breached elsewhere. "All websites constantly experience account takeover attempts and there haven't been an increase in account takeovers on OkCupid," a company spokesperson said in a statement. When asked about whether the company plans to add two-factor authentication to its service—which would make account takeovers more difficult—the spokesperson said, "OkCupid is always exploring ways to increase security in our products. We expect to continue to add options to continue to secure accounts."

"If history tells us one thing, we will continue to see breaches on online dating and social media sites."

David Kennedy, Binary Defense Systems

Meanwhile, Coffee Meets Bagel suffered an actual breach this week, albeit a relatively minor one. The company announced on Valentine's Day that it had detected unauthorized access to a list of users' names and email addresses from before May 2018. No passwords or other personal data was exposed. Coffee Meets Bagel says it is conducting a thorough review and systems audit following the incident, and that it is cooperating with law enforcement to investigate. The situation doesn't necessarily pose an immediate threat to users, but still creates risk by potentially fueling the body of information hackers can collect for all sorts of scams and attacks. As it is, popular dating sites already publicly expose a lot of personal user data by their nature.

Then there's Jack'd, a location-based dating app, which suffered in some ways the most devastating incident of the three, as reported by Ars Technica. The service, which has more than a million downloads on Google Play and claims five million users overall, had exposed all photos on the site, including those marked as "private," to the open internet.

The issue came from a misconfigured Amazon Web Services data repository, a common mistake that has led to all sorts of deeply problematic data exposures. Other user information, including location data, was exposed as well due to the mistake. And anyone could have intercepted all of that data, because the Jack'd application was set up to retrieve photos from the cloud system over an unencrypted connection. The company fixed the bug on February 7, but Ars reports that it took a year from when a security researcher initially disclosed the situation to Jack'd.

"Jack'd takes the privacy and security of our community very seriously, and is grateful to the researchers who alerted us to this issue," Mark Girolamo, the CEO of Jack'd maker Online-Buddies said in a statement. "At this time, the issue has been fully resolved."

Beyond these types of systemic security issues, criminals have also increasingly been using dating apps and other social media platforms to carry out "romance scams," in which a criminal pretends to form a bond with targets so they can eventually convince the victim to send them money. A data analysis from the Federal Trade Commission released on Tuesday, found that romance scams were way up in 2015, resulting in 21,000 complaints to the FTC in 2018, up from 8,500 complains in 2015. And losses from the scams totaled $143 million in 2018, a major jump from $33 million in 2015.

The same factors that make dating sites an appealing target for hackers also make them useful for romance scams: It's easier to assess and approach people on a site that are already meant for sharing information with strangers. "Users should expect little to no privacy from these sites and should be careful about the types of information they put on them," Binary Defense Systems' Kennedy says. "If history tells us one thing, we will continue to see breaches on online dating and social media sites."

Romance scams are a classic, longstanding hustle and things like exposed email addresses alone don't compare to devastating mega-breaches. But all of the exposures and gaffes mean February has not been the proudest moment for online romance. And they add to an already long list of reasons that you really need to watch your back on dating services.

https://www.wired.com/category/security/feed/