The Heyo Dating app has become the newest service to suffer from a data breach after it had left an Elasticsearch server exposed on the internet without a password.
The unsecured server, which contained the private information of over 70, 000 users, was discovered by security researchers at WizCase.
“Avishai Efrat, Wizcase leading hacktivist, discovered a severe data leak on Heyyo, a relatively new mobile dating app,” revealed Wizcase on a blog post. “Our team was able to access a database of over 70,000 users from around the world through an unsecured Elasticsearch engine. The majority of affected users are based in Turkey, but there’s also a significant number from the US and Brazil, which is over ⅕ of their user base.”
According to the team, the leaked data includes the usernames, email addresses, country, GPS location, type of mobile device, gender, birthday, sexual preferences, links to social media profiles, phone number, and occupations of thousands of Heyo users.
Moreover, the site also confirmed that on top of the mentioned personal info, scammers can also easily access other sensitive data, including the profiles that have been liked, blocked, messaged, and viewed by users through the app.
Following the revelation, WizCase has warned that aside from the privacy breach, affected users may also face several other security threats. This could include identity theft, catfishing, blackmailing, sexual discrimination, sexual harassment, and phishing.
To confirm how alarming the leak is, ZDNet had performed a simple test by taking the details of three random users affected by the Heyo breach. Using only Google search queries and open-source intelligence scripts retrieved from GitHub, the site has easily tracked down the three users and had even identified their LinkedIn profiles, social media accounts, and online posts made on niche internet forums.
In May this year, security researcher Jeremiah Fowler revealed he had found a non-password protected Elastic database that consists of 42.5 million user records from a different dating app. Among the many affected apps include CougarDating, ChristiansFinder, Mingler, FWBS (Friends with Benefits), and TS (Transdr).
Heyo became the newest addition to the list of dating apps that had exposed the personal info of users after WizeCase’s revelation.
“Currently, it is unclear if any malicious third-parties have also spotted Heyyo's leaky server besides the WizCase crew, so we don't know if anyone else might have downloaded all this information. Only an investigation from Heyyo's staff could confirm if this data has fallen in the wrong hands, and if users are in any danger,” ZNet added.
