845GB of racy dating app records exposed to entire internet via leaky AWS buckets
Robbie Harb reports:
Hundreds of thousands of sensitive dating app profiles – including images of “a graphic, sexual nature” – were exposed online for anyone stumbling across them to download.
Word of the uncontrolled emission burst forth from vpnMentor this week, which claims it found a misconfigured AWS S3 bucket containing 845GB of private dating app records.
Read more on The Register.
I had somewhat hoped that all these leak reports would have jumped the shark already. But now I realize that we may see even more of these if consumers start trying to sue companies under California’s CCPA, claiming that the entities did not comply with California’s law about security of data. When you have what are socially more sensitive data, like Herpes status, etc., then under CCPA, there should probably be heightened data security, correct? Or at least that’s what I expect consumers will argue when they start to file potential class action lawsuits under CCPA.
Stay tuned, I guess.
Update: See this statement by CasualX claiming that vpnMentor made a number of false statements in its report. I guess we’ll now have to wait to see how vpnMentor responds.
Update 2: It appears that all that vpnMentor did was add a line at the end of their original report that says:
Editor’s Note: An earlier version of this report listed Casualx, linked back to the suspected website for the app. However, As we cannot confirm the connection between the Casualx and the listed website directly, we have removed the link. Additionally, the original text contained a typo, listing Cougary, rather than CougarD, as one of the apps involved in the data breach.
They may have removed the link, but they didn’t remove CasualX’s name, which still leaves the company listed as being connected to the leak somehow. Specifically, their report still mentions CasualX and shows:
The misconfigured AWS account contained data belonging to a wide selection of niche and fetish dating apps.
So they are still claiming that some of the data belonged to CasualX.
I wonder if vpnMentor is going to issue an actual correction and apology at some point. Did vpnMentor ever reach out to CasualX before they first published their report to ask them to confirm or deny? It sounds like they (only) reached out to a developer:
As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. We reached out to the developers, not only to let them know about the vulnerability but also to suggest ways in which they could make their system secure.
But according to CasualX, the developer vpnMentor identified is not their developer. So basically, vpnMentor never reached out to CasualX or they might have been told that they were wrong in their claims?
It will be interesting to see if CasualX is satisfied with vpnMentor’s response or if they will threaten litigation for still leaving their name connected to the report.
Update3: I asked CasualX if they were satisfied with vpnMentor’s response. A spokesperson sent the following response:
We contacted vpnMentor to tell them that they made a mistake. They revised their report after getting our email. However, they still find some private photos containing our trademark “Casualx” in the photo file name.
In the past 2 years, there were many apps using our name “Casualx” in apple appstore from time to time. We reported all of them to Apple and Apple removed them. We assume that the developer of those apps in vpnMentor’s list once uploaded an app by using our app name “Casualx”. They still store the users’ data of their fake “Casualx” app in their AWS account. That might be the reason why vpnMentor thought our app (the real Casualx) was developed by that developer as well.
We have sent an email to the developer in the hope of finding out why they used Casualx in their AWS account. Before we find out what happened, we will not request an apology from vpnMentor.
That sounds pretty understanding and forgiving on their part.