845GB of racy dating app records exposed to entire internet via leaky AWS buckets

We've kept this story safe for work... which is perhaps a little odd because you're all working from home anyway

Tue 16 Jun 2020 // 07:56 UTC

Hundreds of thousands of sensitive dating app profiles – including images of "a graphic, sexual nature" – were exposed online for anyone stumbling across them to download.

Word of the uncontrolled emission burst forth from vpnMentor this week, which claims it found a misconfigured AWS S3 bucket containing 845GB of private dating app records.

Data exposed included photos, many of a graphic, sexual nature; private chats and details of financial transactions; audio recordings; and limited personally identifiable information, the biz stated, adding that it thinks it found sufficient data to blackmail people.

"Aside from exposing potentially millions of users of the apps to danger, the breach also exposed the various apps' entire AWS infrastructure through unsecured admin credentials and passwords," vpnMentor's researchers wrote.

Sorry to be blunt about this... Open AWS S3 storage bucket just made 30,000 potheads' privacy go up in smoke

The haul is estimated to contain hundreds of thousands of users' data, all exposed to the public internet without any authentication. We note vpnMentor thinks this figure could be in the millions.

The storage silo was used by nine rather niche dating apps, including SugarD, which connects sugar daddies with sugar babies, whom they financially support with gifts and cash. Gay Daddy Bear, which targets plus-sized, hairy gay men, was also exposed, we're told. Data from the-self-explanatory-but-puzzling-in-other-ways Herpes Dating was also revealed.

Just who built the apps and made the fateful decision to misconfigure the buckets is not known, though vpnMentor suspects the nine services share a common developer. Whoever is to blame, they ignored the regular warnings Amazon Web Services sends to S3 customers regarding controlling and limiting access to cloud-hosted data.

Users of the apps can take some small comfort from the fact the buckets were taken offline on 27 May, a day after the researchers informed one of the websites about the risk of unauthorized access. ®

Topics

Special Features

Vendor Voice

Resources

Security

845GB of racy dating app records exposed to entire internet via leaky AWS buckets

We've kept this story safe for work... which is perhaps a little odd because you're all working from home anyway

Sorry to be blunt about this... Open AWS S3 storage bucket just made 30,000 potheads' privacy go up in smoke

More about

More about

More about

More about

More about

TIP US OFF

Other stories you might like

Dems and Repubs agree on something – a law to tackle unauthorized NSFW deepfakes

Europe classifies three adult sites as worthy of its toughest internet regulations

Either the FBI is recruiting in Iran – or some govt Google ad buyers are getting a lousy deal

A different view from the edge

US AGs: We need law to purge the web of AI-drawn child sex abuse material

School chat app Seesaw abused to send 'inappropriate image' to parents, teachers

Tesla owner gets key fob chip implanted in his hand

About Us

Our Websites

Your Privacy