![X Highlights Back-to-School Marketing Opportunities [Infographic]](https://imgproxy.divecdn.com/dM1TxaOzbLu_kb9YjLpd7P_E_B_FkFsuKp2uSGPS5i8/g:ce/rs:fit:770:435/Z3M6Ly9kaXZlc2l0ZS1zdG9yYWdlL2RpdmVpbWFnZS94X2JhY2tfdG9fc2Nob29sMi5wbmc=.webp)
Major data breach at popular hookup app leaks data on millions of users - see if you're safe
A dating site kept an open database on the internet, but claims it contained test data.
- Cybernews found an unescured MongoDB instance belonging to Headero
- The database contained millions of records and PII
- It has since been locked down, but users should still be on their guard
Security researchers from Cybernews have reported uncovering a massive MongoDB instance belonging to a dating and hookup app called Headero.
The database contained more than 350,000 user records, more than three million chat records, and more than a million chat room records.
Among the exposed data are names, email addresses, social login IDs, JWT tokens, profile pictures, device tokens, sexual preferences, STD status, and - extra worryingly - exact GPS locations.
No evidence of abuse
Cybernews reached out to the app’s developers, a US-based company named ThotExperiment, which immediately locked the database down. The company told the researchers that it was a test database, but Cybernews’ analysis indicates that it could have been actual user data, instead.
Unfortunately, we don’t know for how long the database remained open, and if any threat actors accessed it in the past. So far, there is no evidence of abuse in the wild.
Human error leading to exposed databases remains one of the most common causes of data leaks and security breaches.
Researchers are constantly scanning the internet with specialized search engines, finding massive non-password-protected databases almost daily.
These leaks can put people at risk, since cybercriminals can use the information to tailor highly convincing phishing attacks, through which they can deploy malware, steal sensitive files, and even commit wire fraud.
Headero users are advised to be extra vigilant when receiving unsolicited messages, both via email and social platforms.
They should also be careful not to download any files or click on any links in such messages, especially if the messages carry a sense of urgency with them. If they are using the same password across multiple services, they should change them, and clear sessions / revoke tokens in apps, where possible.
You might also like
- Top US dental firm spills over 8 million user files online
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
