Dating app user logins found on hacking forum

A hacker has put up for sale the dates of birth, genders, website activity, mobile numbers, usernames, email addresses and MD5-hashed passwords for 3.68 million users of the Mobifriends dating app

The threat actor “DonJuji” was the first to post the hacked logins—for sale. Then, another threat actor posted them on the same popular dark web hackers forum, but this time, they were offered for free.

Based in Barcelona, Mobifriends is an online service and Android app designed to help users worldwide meet new people online. As of Monday, Mobifriends hadn’t yet provided a comment on the stolen user data.

The trove of personal details was discovered by the Data Breach Research team at the vulnerability intelligence firm Risk Based Security (RBS). RBS said that as of Thursday, the records were still up for grabs, now offered at the Low! Low! price of $0:

The leaked data sets are currently available in a non-restricted manner despite being originally offered for sale.

RBS says that DonJuji originally posted the data for sale on a prominent deep web hacking forum on 12 January. DonJuji apparently wasn’t the one who stole them, however: the threat actor reportedly attributed the theft to a January 2019 breach. The data was later posted in the same forum for free by another threat actor on 12 April.

The posted data sets have a total of 3,688,060 records, though after removing duplicates, the researchers were left with 3,513,073 unique credentials. RBS says the records appear to be valid.

The passwords were hashed, but given the specifics, that’s not very reassuring. Namely, they were hashed with the vulnerability-vexxed MD5 hashing function.

Here’s RBS:

The MD5 encryption algorithm is known to be less robust than other modern alternatives, potentially allowing the encrypted passwords to be decrypted into plaintext.

If RBS’s findings prove accurate, Mobifriends won’t find itself alone in the “bad encryption choice!” category. Hackers themselves have reportedly secured their databases with MD5, leading to headlines like one from last month about a hackers forum getting hacked … and then jeered at for using MD5.

Given the reported use of MD5, Mobifriends users could well be in danger of having their passwords exposed and their accounts taken over.

The breach should be particularly worrisome for businesses, given that there were professional email addresses among the breached data sets, including those from the companies American International Group (AIG), Experian, Walmart, Virgin Media, and a number of other Fortune 1000 companies.

This breach puts all of those companies at risk of being targeted in business email compromise (BEC) attacks, when an attacker targets an employee who has access to company funds and convinces the victim to transfer money into a bank account that the attacker controls.

What to do?

Mobifriends users would be well-advised to change their passwords. Also, if the app has the option of using two-factor authentication (2FA), we’d recommend turning it on. That way, even if your password has fallen into the hands of hackers who’ve turned it into plain text, they’ll find it a lot tougher to take over your account.

If you’ve used a business email account to register for a Mobifriends account, you should alert your company’s security staff that your credentials might be at risk of being used in a BEC scam or that your account could be hijacked. For advice on how to protect against BEC attacks, please do check out our writeup of one such recent attack, in which a Florida city fell for the hook and wound up paying $742K to fraudsters who posed as a construction company working on an airport.

Don’t be that company. Searching online for friends or dates is fraught as it is. It shouldn’t also put your business at risk! If I were your security boss, I’d ask all employees to please, please keep their professional email addresses out of dating apps.


Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.