Dating site that once faked being hacked is breached for real this time

Beautiful people, they’re just like the rest of us – they can be victims of data breaches, too.

A data breach at the online dating site has exposed over a million members’ account information, including personal details such as sexual orientation, marital status, income, birth date, email address and home address.

BeautifulPeople confirmed in a statement to Forbes that the breach happened last December.

The company said no financial information was stolen, and passwords were “encrypted,” according to Forbes.

Although the company said it already informed the 1.1 million affected members after the breach occurred, those members are “being notified once again”:

The breach involves data that was provided by members prior to mid July 2015. No more recent user data or any data relating to users who joined from mid July 2015 onward is affected. All impacted members are, of course, being notified once again. The data does not contain any credit card information and user passwords are encrypted.

BeautifulPeople claims to be an “elite online club, where every member works the door.”

BeautifulPeople’s members vote on whether to allow new people to join based on their appearance – only beautiful people are allowed; if you’re just average, you’re voted out.

Ironically, BeautifulPeople once claimed that its website had been infected with a “Shrek virus” that allowed thousands of unattractive people to be accepted as members, who had to be purged when the “virus” was discovered.

It was a cruel publicity stunt, and many media outlets fell for it – but BeautifulPeople isn’t looking quite so clever now.

Sensitive data exposed

BeautifulPeople’s data breach happened in December 2015, but we’re just hearing about it now thanks to two security researchers who came into possession of the data in different ways.

As Forbes writer Thomas Fox-Brewster tells it, he was notified of the breach back in December by security researcher Chris Vickery, who used a server-searching tool called Shodan to identify a number of unsecured, publicly accessible databases using the software called MongoDB.

BeautifulPeople said its breached database was a “test server” using MongoDB, telling Forbes the server was “immediately shut down”:

We can confirm we were notified of a breach on December 24th of 2015 of one of our MongoDB test servers. This was a staging server and not part of our production data base. The staging server was immediately shut down.

Unfortunately, it now seems that the test server contained real user data.

And, until last year, the default settings on MongoDB’s database software required “no authentication at all”, according to Wired.

Someone with criminal intent discovered and raided BeautifulPeople’s database, and was trading the data on dark web cybercrime forums, according to security researcher Troy Hunt.

Hunt, whose website allows people to search a huge database of email addresses stolen in data breaches to find out if they were affected, told me that he received the BeautifulPeople data from someone who noticed the data “circulating in underground forums.”

This kind of data isn’t worth much to cybercriminals – databases containing millions of accounts stolen from adult and dating websites have been offered for sale on cybercrime forums at prices as low as $300 for the lot – but keeping this private information secure is nevertheless important.

What to do?

Our recommendations:

  • Even if it’s a test server, and the software allows it, don’t configure databases with no authentication. Your production server won’t be set up that way, so why test in a configuration you aren’t planning to use in real life?
  • If it’s a test server with real data, treat it as a production server.
  • If it’s a test server that’s directly connected to the internet with real data, it is a production server.

All data is beautiful in the eyes of a cybercrook.

That’s the ugly truth.

Image of broken hearts courtesy of