Dating app Heyyo exposes data of more than 70,000 users

Dating app Heyyo left an Elasticsearch server online without password protection, putting more than 70,000 users at risk

Yet another online dating data breach was reported, with yet another Elasticsearch server in question. Online dating app Heyyo has left an Elasticsearch server online without password protection.

The unsecured server was discovered by security researchers at WizCase. The leak contained private information, including messages, photos, sexual preferences, occupation, and more for over 70,000 registered users worldwide. 

"Wizcase leading hacktivist Avishai Efrat discovered a severe data leak on Heyyo, a relatively new mobile dating app. Our team was able to access a database of over 70,000 users from around the world through an unsecured Elasticsearch engine," said the WizCase blog post on the discovery. 

The majority of affected users are based in Turkey. However, a significant number comes from the US and Brazil, which together hold 20 percent of Heyyo’s user base.

"Heyyo used an Elasticsearch engine, which is installed on a Digital Ocean cloud hosted server. The Elasticsearch default setting requires no authentication or password to gain entry," said the blog post.

Days ago, security researchers discovered a massive data breach affecting the entire population of Ecuador. The database of about 18GB of data holding 20.8 million records was exposed on an unsecured Elasticsearch server located in Miami, Florida.

This details exposed by the leaky server here range from basics, such as personal details, images, location data, phone numbers, and dating preferences, to the accounts of the users on Facebook and Instagram. 

A scammer who accesses the database will be able to draft an intimate profile of the users by obtaining their personal details (name, email, photos), partner preferences (age, location, gender), location and address.

"Another unsecure Elasticsearch engine, another dating app data breach. Servers should never be left without authentication or a password. This is just basic cyber-security hygiene but unfortunately for companies using default or misconfigured security settings, data breaches are becoming a regular occurrence and this is just the latest example," said Robert Ramsden Board, EMEA VP at Securonix.

The detailed, personal data available make dating websites a preferred target for cyber-criminals. From high-profile data breaches - such as Ashley Madison - to honey-trapping, dating websites and apps are increasingly being targeted or abused. 

Password authentication, IP whitelisting, and additional monitoring would have greatly reduced the chances of such a data breach, but companies using default or misconfigured security settings for databases has become a common practice for companies, said the blog post.

Finding such unsecured databases and accessing sensitive information is easy, Bitglass CTO Anurag Kahol pointed out.

"There are now tools designed to detect abusable misconfigurations within IT assets like ElasticSearch databases. Because of these tools, and the continued carelessness of companies when it comes to cyber-security, abusing misconfigurations has grown in popularity as an attack vector across all industries," he said. 

The Heyyo issue highlights the fact that even the best security technology will be let down by poor operational practices, noted Stephen Gailey, head of solutions architecture at Exabeam.

"Admittedly some technologies make it harder than others to get things right, but the reality is that operational teams either don’t understand security best practice or are given too little time and resources to follow them," he said.

"What happened at Heyyo in terms of poor operational controls is happening across the world today and the next company to be in the news is probably being breached as we speak."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews