“MobiFriends” Suffered a Data Breach but Told Exposed Users Nothing
- A new dump has appeared on the dark web, and it contains the data of millions of “MobiFriends” users.
- The data breach occurred over a year ago, but the platform didn’t disclose this matter to the public.
- The hackers might have accessed an unprotected database, or they might have exploited an API flaw.
The popular dating app “MobiFriends” has suffered a data breach in January 2019, resulting in the compromise of the personal details of 3,688,060 users. The app decided to keep the incident a secret, hoping that it will go unnoticed - but it didn’t. Recently, someone with the nickname "DonJuji" put up the stolen data for sale on a dark web forum, and the dump quickly found its way in multiple channels. Some are even giving it away for free now, as the initial sale took place on January 12, 2020 - so quite a few months have passed.
The first white-hat firm to notice this sale was “Risk Based Security,” and so the whole story went public. The data was quickly verified to be authentic and was linked to the MobiFriends platform. Still, the dump also includes professional email addresses from American International Group (AIG), Experian, Walmart, Virgin Media, and other large companies. The leaked data includes the following details:
- Usernames
- MD5 Hashed Passwords
- Email addresses
- Genders
- Website Activity
By using the above, malicious actors could potentially launch credential stuffing attacks, approach the users via email for scamming or phishing purposes, or even extort them. For example, married people who are found in these lists would be ideal targets for blackmailing. That said, this is another characteristic example of a compromise that is considered grave due to the type of platform that was responsible for protecting the information.
MobiFriends, a Barcelona-based entity that has been around since 2005, hasn’t provided an official response even after all these revelations came to light. It is possible that the hackers managed to scrape this amount of data by exploiting an API vulnerability, or by downloading a service or backup database that was left online and accessible without a password due to a misconfiguration. Both scenarios are things that we see very often, but this is not the case anymore.
The main issue here is the fact that MobiFriends has failed to protect the sensitive data of its userbase, and then betrayed their trust by not informing them of the breach. Sure, they may claim that they didn’t even realize the incident, or that they were still investigating even after 14 months have passed, but this won't actually make things any better. If you have or had an account on MobiFriends, you’d better reset your credentials there, and anywhere else you may be using the same username, email, and password.