The Home of the Security Bloggers Network
Home » Security Boulevard (Original) »
Dating apps and online dating have become the only options for finding love during the COVID-19 pandemic. However, while some users are finding love online, others are finding heartbreak and an unlucky few are finding something much worse.
Just as the use of dating apps and websites has found their way into the hearts of lonely users on lockdown, they have also come to the attention of crafty hackers. Although the internet and apps are the safest way to date at the moment, there are still a number of risks and dangers associated with them. Users must be aware of catfishing, dating scams and sextortion, while the platforms themselves bring additional concerns, like data breaches and unpatched vulnerabilities that can very easily put users’ data in the wrong hands.
Dating scams have spiked during the pandemic, with a number of financial and fraud organizations issuing warnings due to the increase. UK financial consultancy UK Finance revealed that there was a 20% increase in romance scams in 2020, with £18.5 million lost to scammers. The U.S. Federal Trade Commission found $304 million stolen using romance scams in 2020, a 50% increase from 2019. This month, Action Fraud also announced that they had seen a rise in reports of romance fraud in 2020, with reported losses of over £68 million.
However, victims are not only being tricked into sending money via bank transfers, but have also lost money by sending fraudsters gift cards and vouchers, as well as presents such as phones or laptops, and providing them with access to their bank accounts or cards. One woman was conned out of £320,000, while another gave away her life savings of £40,000 to a man she fell in love with online. Scammers trick people into sending these tokens of affection by first gaining trust and then convincing them that their relationships, and they themselves, are genuine. Most of the victims are already vulnerable, using dating apps as a lifeline during the pandemic, and when they are manipulated to such an extent, it is understandable that they would hand their money over.
Furthermore, cybercriminals have also turned to hacking dating apps. Malicious actors have searched out every vulnerability they can find in dating platforms, and extracted users’ data to pawn on the dark web. As a result, almost every month during the pandemic a dating platform has experienced a data breach.
1. A hacker exposed the data of 2.28 million MeetMindful users.
Earlier this year, a hacker leaked the data of 2.28 million MeetMindful users. A 1.2 GB file was posted on a hacker forum containing the information users provided when setting up a MeetMindful profile. The data included users’ full names, email addresses, birth dates, location, IP address and much more.
2. Grindr, OKCupid, Bumble and others were vulnerable to a patched bug.
In December 2020, researchers discovered that a number of mobile apps available via app stores were still exposed to the CVE-2020-8913 vulnerability, including dating apps such as Grindr, OKCupid and Bumble. The vulnerability allowed threat actors to inject malicious code into the applications, allowing them to access all the resource of the hosting application as well as access data stored on other apps on the same mobile device.
3. A Bumble vulnerability possibly exposed 100 million users’ data.
An API vulnerability was found in the dating app Bumble. The vulnerability exposed the sensitive data of almost 100 million users, including their Facebook information, location, weight, height, personal characteristics and more. This sort of data could easily be used to conduct social engineering and phishing attacks on unsuspecting users.
Users may experience more than heartbreak while using dating apps; a hack, data breach, theft or loss could be much worse. However, this doesn’t mean users should stop using dating apps altogether. There are numerous ways to keep users and data safe.
Before downloading an app, research it. This is application security 101 – make sure to read the platform’s privacy statement and/or terms and conditions; see where the company is based and look up reviews. By doing this, you will have a good understanding of how the app uses the data provided, where the data is going and whether it is secure.
When downloading dating apps, try to stay vigilant and be aware of spoofs. When you are downloading any dating apps, (or, really, any app at all) make sure to download official apps from official app stores, as apps from unofficial stores are more likely to be fake. Look closely for spoofed apps, and beware of apps that only have a small number of reviews. Also be wary of in-app purchases you wouldn’t normally expect.
Another safety precaution is making sure you download apps developed in your area, to the best of your ability (in other words, if you are using a European app store, look for apps based and developed in that same geographic area). Furthermore, if you are using a dating website, make sure to check if the site uses the HTTPS protocol, and whether there is a lock icon in the address bar, before inputting any data into the site.
While using dating sites and apps try to protect your data, as well as yourself. Even official apps and dating sites are prone to data breaches, so take every precaution with your data when using these platforms. You want to stay as anonymous as possible when dating online, so when you sign up to an account, try not to use your usual email address or especially an email linked to business accounts. Bear in mind when talking to other users that not everyone is who or what they say they are; try to share as little information as possible until you meet someone, or otherwise establish that they are real. Similarly, be careful not to reveal too much personal information, as this can be used to breach multi-factor authentication or to hijack an account. If someone is asking for too much information, this is a red flag – it is always wise to block users acting in this way and report them to protect others.
If a dating platform you use has been breached you can still try to protect your data. First, change the username and password you have connected to this account. It’s a best practice to use a password manager and the passwords it generates, and remember to never duplicate passwords across different accounts. If you also have a credit/debit card connected to the account, check for fraudulent activity and, if you suspect any, disconnect the card from the account. If you have provided any ID to verify an account, make sure to check your credit history and score in case you’ve unwittingly been a victim of identity theft. Finally, if you used any personal information connected to standard security/password recovery questions, such as pets’ names, make sure you update these on other sites you have used them on and change them.
Vincent De Beer has over 15 years of experience working in IT. Currently, he is Chief Operations Officer at Cortex Insight. He strives to deliver a complete proactive, monitoring and alerting service to customers while assisting with ongoing improvements of the company’s service offering. Previously, he worked in the financial industry for near on 10 years, where he designed, secured and monitored various systems, implemented best practice standards and analysed data to aid in business strategy.
vincent-de-beer has 1 posts and counting.See all posts by vincent-de-beer
document.getElementById( “ak_js” ).setAttribute( “value”, ( new Date() ).getTime() );
The Home of the Security Bloggers Network