Posted on April 15, 2021 at 4:56 PM
Popular gay dating site Manhunt was breached earlier this year, with details of thousands of users stolen. The dating platform filed a document recently with Washington’s attorney general’s office to acknowledge the breach.
A representative of Manhunt informed the attorney that the hacking incident affected about 7,700 Washington residents.
The representative, Stacey Brandenburg, stated that the site discovered the breach on March 2, 2021, after the threat actors accessed “the database that stored account credentials of Manhunt users.”
Usernames and passwords exposed
According to the note, the details affected in the breach include their email addresses, usernames, and passwords. The site noted that upon discovering the attack, it took immediate steps to secure the systems against further damage. These include informing users about the attack and force-resetting the passwords for the affected accounts.
The site started sending notifications to users two weeks after the attack. It also informed them there is no evidence that messages or pictures were acquired by the threat actors.
Also, the incident did not lead to exposure to credit cards. It’s not clear how the passwords were scrambled that kept them secure from hackers. However, weak passwords that are scrambled can be decoded into plain text, which will give threat actors access to the accounts.
Manhunt claims to have over 6 million members. But there are unanswered questions about the way and manner it handled the threat.
In March when the breach has not been made public, the company tweeted that all users of the platform are expected to update their passwords to make sure it needs the new password update requirements.
The site didn’t say that user accounts have been hacked at the time.
The company was established by Online-Buddies Inc in 2001, which also owned gay dating app Jack’s before it was acquired by Perry Street in 2019. But shortly before the acquisition, a security vulnerability within the app led to the exposure of users’ location data and private photos.
Sensitive nature of stolen data
Dating sites store very sensitive information from their users. The privacy and sensitivity of the information make these sites one of the most targeted by cybercriminals.
Several of them have already become victims of a security breach in the past. Popular dating site Ashley Madison was hacked in 2015 with sensitive data of thousands of users stolen. The site encourages people to have an affair and has records of most of its users. When it was breached, names, emails, and postal addresses of users were exposed.
Several people even committed suicide when their details and photos from the site were exposed online. The next year, it was the turn of AdultFriendFinder when it was hacked, compromising 400 million user accounts. The incident was one of the highest breaches on dating sites.
Then in 2019, Grindr, a same-sex dating app, connived with data analysis firms to share users’ HIV status.
Poor security practice
In these cases, poor security practice has been the major factor why the threat actors were able to breach users’ details.
In 2019, the popular gay dating app Rela left its server unprotected, which allowed anyone to have access to sensitive data. These details contain sensitive information, including geolocation and sexual orientation. Over 5 million users of the app were affected and some of their details were flooded online.
Most hackers are always pouncing on the slightest opportunities to reap apart a website or a company’s portal. When they eventually succeed, the data can be put to different uses. Sometimes, they are used to further enhance their phishing attacks. But in most cases, some of the more sultry details are preserved and used to collect ransomware from their victims.
Those who could not pay are punished by releasing their details in the public.