A safety lapse at JCrush, a courting app designed for the Jewish group, left a databases open with no password, exposing delicate consumer information and personal messages to anybody who knew the place to look.
The positioning’s backend database had round round 200,000 consumer information, in line with safety researchers Noam Rotem and Ran Locar, who shared their findings completely with TechCrunch and wrote up their findings at vpnMentor.
Not one of the information was encrypted, the researchers advised TechCrunch.
We obtained a pattern of the information to confirm. From what we noticed, the information contained the consumer’s title, gender, electronic mail handle, IP handle, geolocation in addition to their metropolis, state and nation, date of delivery, their sexual preferences, their spiritual denomination, and the images they use on JCrush.
Relying on how the consumer signed up, the information additionally present the consumer’s Fb ID, which factors on to their Fb profile. It additionally consists of the entry token, which can be utilized to take over a JCrush consumer’s account without having their password.
In some circumstances, the geolocation information was so correct it was straightforward to determine precisely the place some customers lived — particularly in residential neighborhoods.
The database additionally contained personal messages — many have been express and graphic.
Though the researchers didn’t dig into the information — aware of the privateness implications — they discovered information regarding “incognito” accounts, which permit customers to pay to browse the positioning anonymously.
The app’s founder Natasha Nova didn’t reply to a request for remark. An unnamed spokesperson for JCrush’s father or mother firm Northsight Capital mentioned it was “conscious” of the scenario and “secured the database instantly when the issue occurred.”
“There have been not been any indications that the information had been accessed by malicious events or misused in anyway,” mentioned the corporate. When requested, the corporate didn’t say what proof it had for its declare, however famous that the corporate plans to inform its customers and authorities of the incident.
It’s the newest in a sequence of information publicity at courting apps, or firms that tout anonymity and privateness.
Final yr, a courting app for conservative supporters — Donald Daters — admitted a database leak on its first day of operations. Solely about 1,600 customers had their info uncovered. In Might, a preferred Chinese language courting app for homosexual and queer ladies, Rena, which had greater than 5 million customers, left its database open and uncovered.