Over 3.6 Million Users Were Hacked on Dating App MobiFriends

Personal information stolen from 3,688,060 users of dating app MobiFriends was posted online, according to ZDNet.

The information doesn’t contain private photos or messages or any sexual-related content, but it does include other sensitive data that can be exploited, including email addresses, mobile numbers, dates of birth, gender information, usernames and passwords.

The personal data also includes recent app and website activity of the users. 

The breach dates as far back as January 2019 ZDNet reported, and the hacker who had initially stolen the data, “DonJuji,” had tried to sell it on a hacking forum. The data was later shared for free on the same forum by another participant. 

MobiFriends, which is based in Barcelona, has remained silent on what happened. It is not confirmed when and if they knew a year and a half ago that this breach had occurred. 

Risk Based Security (RBS), a US-based cyber security company, was the first to see and report the hacked data in April of 2020, according to ZDNet. RBS traced the information back to MobiFriends. 

RBS told ZDNet that “the data leak contains professional email addresses related to well-known entities including: American International Group (AIG), Experian, Walmart, Virgin Media, and a number of other F1000 companies.” In addition to users being vulnerable to extortion, identity theft and other issues, having their emails and passwords published poses a risk to other apps and websites these users frequented outside of MobiFriends.

RBS advised users to change their usernames and passwords for safety.

It’s not known how the hacker was able to breach the system and how the personal data of over three and a half million users was obtained. It could have been a vulnerability in a server or API, or possibly MobiFriends left a database exposed online without a password.

RBS Senior dark web analyst Roy Bass told Threatpost that they were able to trace the breach back to MobiFriends because “researchers verified the data against the MobiFriends official website,” and backed up their claim with redacted screenshots of the stolen data.

Data breaches have driven companies to further secure data, especially as more people use apps and websites for shopping, ordering takeout, and dating among other activities - and give up more and more personal information.

Bass told Threatpost that because the leak included dates of birth or phone numbers, “it is possible for threat actors to use this data in conjunction with other data breaches to have a wide range of compromised data on an individual. If enough valuable information is compiled it could be sold and/or later used for identity theft, extortion, and other malicious campaigns,” he said.