Romance interrupted as dating app users’ suffer a data breach

Ruth C. | May 13, 2020

The search for love online can quickly turn bitter, and we are not talking about unfortunate catfishing incidents. By nature, online dating apps are greedy when it comes to users’ data. As a result, such services carry the tremendous burden of sealing off their databases from unauthorized access. However, very few online dating apps swipe right to advanced security measures. With the power of controlling large volumes of data, comes great responsibility that many enterprises still neglect, despite numerous reminders.

MobiFriends data breach: over 3.6 million of credentials available for download

A Data Breach Research team from Risk Based Security was the first to report that credentials of over 3.6 million of MobiFriends users are available for download. This incident dates back to 2019 when hackers roamed the service and stole credentials from MobiFriends servers. Initially, the data ended up for sale on the dark web. Experts managed to associate the attack to a hacker going by the “DonJuji” alias.

While the initial release provided restricted access to the data, the second blow was even more devastating. The full list appeared on one of the hacking forums. After that, the events escalated, and credentials started popping up on many other online platforms. In the majority of cases, it is available for free to anyone who wishes to snoop.

MobiFriends is a popular, Spain-based service, designed for uniting people with similar interests and hobbies. Be it a new romantic interest or a buddy to chat, MobiFriends claims to bring people together. However, while the painted picture is charming, the sudden reality check soon turned the service to some serious scrutiny for using out-dated practices for protecting users’ accounts.

Which data ended up in the public domain?

The good news is that the breach was not far-reaching: users’ private messages and images remain secure. However, the publicly available credentials include other sensitive information. The compromised data consists of millions of email addresses, usernames, phone numbers, dates of birth, gender details, website activity, and passwords.

Usually, if services choose industry-standard encryption algorithms, passwords might require extensive resources to decrypt. However, MobiFriends used the MD5 hash function, which has lost its robustness over the years. Security advocates no longer recommended it, especially when there are more modern alternatives. The main issue with the MD5 encryption algorithm is that it is relatively easy to decrypt hashed passwords into plaintext.

What does this breach mean to compromised users?

The MobiFriends breach is notable not only because it contributes to the ever-growing amount of customers’ credentials available to the public. It serves as yet another reminder that enterprises need to do more to protect their users. Using the MD5 encryption algorithm is no longer acceptable at this stage of the technological boom. Now, users and security experts both wonder what attacks might follow this release of millions of credentials.

It is clear that with email addresses, mobile numbers, gender information, and passwords, hackers are ready for harvest. The MobiFriends breach gives cybercriminals more than enough resources to pursue identity theft, phishing scams, or account takeovers. In addition to that, the nature of MobiFriends service might allow malicious actors to pose as other people in the online dating app. Therefore, catfishing, extortion, and stalking are all on the table in this case. The people who chat through the app might eventually agree to meet up in person as well. Instead of meeting a new friend, they might go straight into criminals’ traps.

Experts advise MobiFriends users to be cautious. It is critical to change passwords on all accounts that use the leaked login information. This problem is yet another bad habit of consumers – reusing passwords on multiple platforms. To enhance your security online, activate two-factor authentication (2FA) whenever it is possible. Furthermore, one of the best advancements in this digital age is the move towards a passwordless future. Instead of a password, opt for authentication using biometric credentials.

Ruth C.

Ruth C.

Cybersecurity Researcher and Publisher at Atlas VPN. Interested in cybercrime, online security, and privacy-related topics.


Data breach

© 2022 Atlas VPN. All rights reserved.