Hacking enthusiast, Avishai Efrat of cybersecurity website, Wizcase has discovered a security breach on Heyyo, a mobile dating app based in Turkey. The breach resulted in the exposure of user data which included GPS location, links to social media profiles, photographs, phone numbers, smartphone details, sexual preferences, messages, and many others and affected an estimated 77,000 registered users from Turkey, Brazil, USA, Africa, Germany, Portugal, and Spain.
Our team was able to access a database of over 70,000 users from around the world through an unsecured Elasticsearch engine. The majority of affected users are based in Turkey, but there’s also a significant number from the U.S and Brazil, which is over one-fifth of their user base.
Despite this breach, it appears the app is still garnering more users - with a 7.7% increase of users, growing from a registered 71,769 to 71,921 in countries around the world.
This is quickly becoming a trend with other dating platforms like Ashley Madison, Grindr, Luscious and others being hacked and compromising user data. This Heyyo leak was discovered on an Elasticsearch engine which has rather lax security precautions and requires no authentication or password on its default system, it held the records and had over 600 MB of data present, which in the wrong hands could be used in a variety of criminal endeavours.
Cybersecurity researchers have said the breach has affected user privacy a great deal, opening them up to a number of cyberattacks including scamming, identity theft, catfishing, phishing, blackmail, as well as more physical threats like sexual harrassment and hate crimes.
When contacted about the leak, Heyyo were unable to deliver a prompt response -only responding after a week. However, since news of the breach broke, the appropriate authorities and Turkey’s Computer Emergency Response team(CERT) were alerted, and the compromised server taken down. It is unclear at this time if any cybercriminals or bodies were able to gain entry to data on the server.
Following this, users are advised to be vigilant about their online security and report any suspicious activities. As scammers could use user identities online, it would be prudent to practice more safe online activities, change passwords regularly to protect social media and email accounts that could have been accessed.
Sharing personal information such as accurate location, photographs, financial data and family details with people met online is a huge blunder which in many instances both past and present are used as leverage by criminal entities to intimidate and extort people.