BeautifulPeople.com hack exposes data of 1.1 million users

The exclusive website was breached months ago and the information of over a million of its users has been sitting on the Dark Web ever since then.

Skin deep: Beauty was in the eye of the hacker
Skin deep: Beauty was in the eye of the hacker

The online dating site BeautifulPeople.com has been hacked and the personal details of 1.1 million users sold to cyber-criminals on the dark web. 

BeautifulPeople only allows people to sign up if they are deemed attractive enough. It was hacked in December but the data has only just now started to appear on criminal marketplaces on the Dark Web. Information was stored in a MongoDB database and open to anyone who knew its URL.

According to Australian security researcher Troy Hunt, who verified the details, information about the hack was handed to him by someone who operated in “data trading circles”.

As reported by Forbes, Hunt was able to check the data's veracity. Leaked login details could be used to reset passwords. Other data included information such as weight, height, job, education, body type, eye and hair colour. Other information could pinpoint a user's location as well as mobile numbers and email addresses.

“We're looking at in excess of 100 individual data attributes per person,” Hunt told the publication. “Everything you'd expect from a site of this nature is in there.”

A spokesman for BeautifulPeople.com said: “The data said to be accessible on the ‘dark web' is the same data as the two security researchers accessed and downloaded in the December 2015 breach.

“The breach involves data that was provided by members prior to mid-July 2015. No more recent user data or any data relating to users who joined from mid-July 2015 onward is affected.”

He added: “The privacy and security of our members is of paramount importance to us, and this matter is being investigated. All impacted members are, of course, being notified once again. The data does not contain any credit card information and user passwords are encrypted.”

Rob McConnell, market director at SQS, told SCMagazineUK.com that adequate customer data security and monitoring control measures should have raised an immediate alert to suspicious or unauthorised activity.

“It has always been important to protect personal data, but in light of this and the reality of today's ever changing digital environment, brands need to fully understand their data models; get to grips with their potentially unstructured, potentially poorly managed data and put processes in place to keep it safe,” he said.

Simon Keates, EMEA manager at Thales e-Security, told SC that seemingly innocuous information can pose a bigger problem.

“Details such as your name, your job, and where you live can be pieced together relatively easily by cyber criminals buying this information on the dark web and used as bait for targeting phishing attacks and identity theft to access more sensitive information,” he said.