Expert Comment: Heyyo Dating App Leaked Users’ Personal Data, Photos etc.

Security experts on the news that online dating app, Heyyo has left a server exposed on the internet, without a password. The Elasticsearch database, exposed the personal details, images, location data, phone numbers, and dating preferences for nearly 72,000 users, believed to be the app’s entire userbase. The exposed server allowed anyone with a web browser to contact some of the users whose phone numbers were included in the database.


EXPERTS COMMENTS
Robert Ramsden Board, VP EMEA ,  Securonix
September 26, 2019
The data leaked exposes users to a host of security threats, which could leave them vulnerable to scammers.
Another unsecure Elasticsearch engine, another dating app data breach. Servers should never be left without authentication or a password. This is just basic cybersecurity hygiene but unfortunately for companies using default or misconfigured security settings, data breaches are becoming a regular occurrence and this is just the latest example. The data leaked exposes users to a host of security threats, which could leave them vulnerable to scammers. Threats range from identify theft, catfishing, blackmail, sexual harassment to phishing. Users should be cautious about the information they share on dating apps and stay alert to any suspicious activity or interactions.
Warren Poschman, Senior Solutions Architect,  comforte AG
September 26, 2019
Instead of remaining sanguine, it’s time for organizations to face reality and act to secure their data.
With the power of data analytics also comes great responsibility – unfortunately something that many organizations still fail to fully grasp, even after numerous breaches. This most recent breach at Dealer Leads is also evidence that unsecured or misconfigured NoSQL instances continue to be prevalent, as the virtual low-hanging fruit for cybercriminals. Instead of remaining sanguine, it’s time for organizations to face reality and act to secure their data. This starts with following best practices for configuration, something that is widely available for each platform, as well as implementing data-centric security to protect and deidentify data – something that is designed to be analytics friendly and strongly protects the data regardless of what it is stored in, who has possession of it, or whether the system or perimeter is compromised.
Terry Ray, Senior Vice President and Fellow ,  Imperva
September 26, 2019
Leaky databases and administrative misconfigurations are becoming a regularity, and it’s a relatively simple problem to fix.
While this is by no means the first time we’ve seen personal information leaked from a dating app, in fact just earlier this year the data from multiple dating apps were found to be stored on a leaky database, the breadth of information leaked in this case is startling. Beyond names, phone numbers, emails and other PII information the leaked data also included how people were utilizing the app and the interactions they had on there. Leaky databases and administrative misconfigurations are becoming a regularity, and it’s a relatively simple problem to fix. Too often, private information is collected, yet the collecting organization doesn’t monitor or protect who has access to the data, when the data is viewed, or whether the data has been stolen. In this case, the leaky server was brought to the attention of the company behind the app, yet they took no action to secure it. This is particularly worrying if you are storing user data, you are responsible for ensuring that data is protected.
Robert Prigge, President,  Jumio
September 26, 2019
Heyoo is giving criminals everything they need to perpetrate identity theft and account takeover.
Heyyo’s user database breach occurred because the information was left on a server without a password – another egregious lapse in security which is fueling the cybercrime market on the dark web. By exposing its users’ personal details, images, phone numbers dating preferences and location data, Heyoo is giving criminals everything they need to perpetrate identity theft and account takeover. In 2019, we have seen an increase in online dating scams and attacks, such as catfishing, extortion, stalking and sexual assault. Because online dating sites often facilitate in-person meetings between two people, organizations need to make sure users are who they claim to be online – both in initial account creation and with each subsequent login. As online dating fraud continues to escalate, businesses must implement stronger means of user authentication for online dating sites, such as face-based biometric authentication, to protect users’ real-world safety and personal information.
Chris DeRamus , Co-founder & CTO,  DivvyCloud
September 26, 2019
Database misconfigurations have proven time and time again to be the Achilles’ Heel of many organizations that have suffered data breaches this year.
Like countless other organizations, Heyyo has left an Elasticsearch server unprotected, without a password exposing highly sensitive user data. The exposed information included user location, meaning that bad actors could leverage this info to stalk impacted users, in addition to other cyberattacks like sophisticated phishing attacks. The dangers of exposing consumer information are not just limited to the internet – there are very real risks to physical safety. Consumers put their trust in companies by allowing them to collect and store their information. To honor the trust of app users and customers, organizations must be diligent in ensuring their data is protected with proper security controls. Database misconfigurations have proven time and time again to be the Achilles’ Heel of many organizations that have suffered data breaches this year, yet there are very simple and highly effective solutions available to prevent this. Automated cloud security solutions can grant organizations the ability to detect misconfigurations and alert the appropriate personnel to correct the issue, or even trigger automated remediation in real-time so that Elasticsearch databases and other assets never have the opportunity to be exposed, even temporarily.
Stephen Gailey, Head of Solutions Architecture,  Exabeam
September 25, 2019
It doesn’t matter how good your technology is, in the end, it will be let down by poor operational practices.
This dating app’s woes highlight a fundamental truth about information security – it doesn’t matter how good your technology is, in the end, it will be let down by poor operational practices. Admittedly some technologies make it harder than others to get things right, but the reality is that operational teams either don’t understand security best practice or are given too little time and resource to follow them. What happened at Heyyo in terms of poor operational controls is happening across the world today and the next company to be in the news is probably being breached as we speak.
Anurag Kahol, CTO ,  Bitglass
September 25, 2019
In fact, there are now tools designed to detect abusable misconfigurations within IT assets like ElasticSearch databases.
It does not take much effort for outsiders to find unsecured databases and access sensitive information. In fact, there are now tools designed to detect abusable misconfigurations within IT assets like ElasticSearch databases. Because of these tools (and the continued carelessness of companies when it comes to cybersecurity), abusing misconfigurations has grown in popularity as an attack vector across all industries. Such vulnerabilities can pose major threats to data security, data subject wellbeing, regulatory compliance, and brand reputation. Even companies with limited IT resources must take full responsibility for securing user data – there is no excuse for negligent security practices such as leaving databases exposed. As such, they must turn to flexible, cost-effective solutions that can prevent data leakage; for example, cloud access security brokers (CASBs) that boast features like cloud security posture management (CSPM), data loss prevention (DLP), user and entity behaviour analytics (UEBA), and encryption of data at rest. It is only with these types of capabilities that an enterprise can be certain that its data is truly safe.

Join the Conversation

Join the Conversation


In this article