Accusations fly over HIV-positive details leak

News by Max Metzger

After the details of nearly 5000 HIV-positive customers were exposed in the Mongo DB database leaks, the researchers who reported the exposure have been accused of the crime itself.

A breach that exposed the personal details of 5000 HIV-positive customers has been labelled a case of foxes guarding the henhouse with accusations flying .

Late last month, the MongoDB databases, which power Hzone, a HIV-positive dating site, were revealed to be misconfigured leaving the details of millions of users exposed. 5000 of those belonged to H-zone, an app which allows HIV-positive individuals to date other, similarly afflicted individuals.

The information included date of birth, relationship status, religion, location, height, sexual orientation, number of children, IP details, password as well as a whole plethora of other personal information.

Word was spread by Chris Vickery, a security researcher, who discovered this massive leak by simply using Shodan, the internet search tool which tracks and indexes internet connected devices. Once word had been spread, with the assistance of the admin of the, Dissent, it took a week for Hzone to respond. In fact, Hzone did not do so until Dissent actually sent an email to the company, saying she was going to write about it.

After a lengthy exchange between the two parties, Justin Robert, the CEO of Hzone, accused Vickey and Dissent of foul play. The CEO told CSOonline, “We noticed the database leaking at around 12:00 AM on Dec 13th, and an hour later, the hacker accessed our server and changed our users' profile description to 'This app is about users' database leaking, don't use it'. Around 1:30 AM on Dec 14th, our IT team recovered it and secured our server." This timeline apparently differs from the timeline that Vickery and Dissent gave.

Dissent spoke to SCMagazineUK. com, saying that Hzone's CEO has changed his statement plenty of times and provided little proof for his claims.

“I'm not even sure which things he thinks and which things he think independent researcher Chris Vickery did”,  Dissent told SC,  “so I'm not even sure what he's threatening to sue me for.”

Dissent assured SC that “ never accessed the Hzone database, much less downloaded data from it, and this site never altered any of their records. Any claim by him about this site's conduct to the contrary is either a lie, an attempt on his part to deflect blame for their security and incident response failures, or he really is totally clueless as to what happened.” 

And she added: “The only statement he made that I really believe is that they don't have a strong tech team”.

Hzone released a statement on its website saying, “As a growing technology firm, we are always on the lookout of opportunities to optimise our data servers, to be able to deliver better services to all our stakeholders. During one such transition activity, our database was exposed to a group of hackers, who were able to momentarily access our servers.”

But he added: “Our systems have captured vital data pertaining to the group involved in the condemnable act of hacking into our databases. We firmly believe that any attempt to steal any sort of information is a despicable and immoral act, and reserve the right to sue the involved parties in all relevant courts of law.”

The statement added that Hzone has now put in place strong security measures to prevent further breaches.

Robert, the CEO of Hzone told SC that he could not say who had accessed the Hzone server due to legal problems and denied that he accused Dissent or Vickery of attacking Hzone's server. 

But, said Robert, "What I can let you know is that we have already kept the evidence and proceed with a legal action if he/she does not stop accessing our database or just [publish] our users' personal info in any way. As you may see, we will do whatever we can do to protect our HIV members."

Robert added that the leak happened when "our programmer failed to secure the users' database when optimising the system. It is our fault. But now, it is safe to use Hzone."

However, Hzone was just a small part of the MongoDB database leak. 13 million users of the MacKeeper OSX were exposed as well  as 2.5 million users of the gaming site Slingo and 2.6 million members of the OkHello video chat service. Vickery disclosed this information but others also found that Major League Baseball fans, users of the the social network Vixlet and followers of the nu-metal band, SlipKnot were exposed in the MongoDB database leak.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews