A team of cybersecurity experts has discovered an unprotected online database that exposes not only personally identifiable information of more than 70,000 individuals but also leaks their dating behavior and sexual preferences. The database was linked to a Turkey-based dating application called Heyyo, which has users from all over the world, including the United States.
Through the Elasticsearch engine, researchers from Wizcase, an online security portal, found a database owned by the dating app without any form of protection like passwords and encryption. Avishai Efrat, Wizcase leading hacktivist, together with his team, discovered that there are more than 70,000 records in the database which contains sensitive information of users of Heyyo.
Heyyo is an online dating application based in Turkey and one of the newest players in the dating app market. “Heyyo puts aside ‘I’m looking for a friend’ words by taking on finding love mission with random matching, unlike the free date & chat applications where finding love mission is belong to users,” the company said in their website.
The team determined that majority of the data exposed in the unprotected database are traced by to Turkey; however, there is also a significant number of users that can be traced to the United States and five other countries. The data from users outside Turkey comprise at least 20% of the exposed database, the researchers said in a blog post.
The users whose data was included in the leaked database came from Turkey, Brazil, the U.S.A., Africa, Germany, Portugal, and Spain. “For Heyyo users, public access to this data is a massive breach of their privacy,” the researchers said in the blog post.
Compromised data includes dating behavior and sexual orientation of Heyyo users
The exposed database leaked personally identifiable information of the users of Heyyo. The leak includes User names (mainly first names), email address, country, GPS location (latitude and longitude), type of mobile device the app was downloaded on, gender, date of birth.
Interestingly, the database also contains highly sensitive information which could potentially disclose their users’ sexual orientation based on the recent searches the users have done. The researchers said that the database also contains entries pertaining to dating history of the users as the information contained in the database includes likes, dislikes, super likes, message count, and the recent accounts they have blocked.
Furthermore, the database also contains the links to users’ social media accounts like Facebook and Instagram, together with their profile photos, phone numbers, and even their occupations.
The researchers warn that on top of the having their data leaked, the users of the Heyyo dating app are now facing a multitude of cybersecurity and online risks because their data is available out in the open. The risks, according to the researchers, include identity theft, catfishing, blackmail, sexual harassment, and phishing.
Furthermore, the researchers said that the leak had left members of the LGBTQ+ community vulnerable to possible sexual discrimination because the database contains information that can “out” them. This is particularly dangerous for users who reside in countries with strict homosexuality laws. It’s alarming, the researchers note, because Turkey is one of those countries.
“Dating profiles are filled with private information, including images and sexual orientation. This could easily lead to targeting of LGBT users, especially in a country like Turkey, which still allows for discriminating against members of the LGBT community,” the blog post reads.
It is still unclear whether the database is still active and can be accessed online or it was already taken down.
Meanwhile, the researchers also encourage Heyyo users to be careful about the data they post on their accounts.
“If you have an active profile on Heyyo, you should be careful with the personal data that you add to your profile,” they said. “You should also stay alert and report any suspicious online activity. Potential scammers could have used your personal details, or anyone else’s from the database, that was exposed in the breach.”