A data breach alert is not the message singles want to hear on Valentine's Day, but that's what dating site CoffeeMeetsBagel sent to millions of its users on Thursday, in a message warning that their account details were part of a massive cache being sold on an underground forum.
The awkwardly timed notification informed users on Valentine’s Day that select account information and been stolen by hackers.
CoffeeMeetsBagel’s breach surfaced as one of 16 hacked websites whose user accounts were being sold on the dark web.
CoffeeMeetsBagel’s account database made up around 10 percent of some 617 million user accounts for sale, as reported by The Register earlier this week.
The US-based dating site launched in Sydney and Melbourne in 2015. Australia was the second market outside the US it launched following its opening in Hong Kong.
The company refused to let Valentine's Day stand between its disclosure to users about a breach it learned about on February 11, regarding data that was stolen between late 2017 and mid-2018.
“With online dating, people need to feel safe. If they don't feel safe, they won't share themselves authentically or make meaningful connections. We take that responsibility seriously, so we informed our community as soon as possible—regardless of what calendar date it fell on—about what happened and what we are doing about it,” a CoffeeMeetsBagel spokesperson said in a statement to CSO Australia.
The spokesperson confirmed that Australian users are affected, but declined to say how many. The CoffeeMeetsBagel database for sale is 673MB in size and included account details on 6.1 million users.
Other firms whose account databases were being sold online by the same vendor included Dubsmash, MyFitnessPal, MyHeritage, ShareThis, HauteLook, Animoto, EyeEm, 8fit, Whitepages, Fotolog, 500px, Armor Games, BookMae, Artsy, and DataCamp. The entire account dump was available for about $20,000 in Bitcoin, but each firm’s breached accounts were available separately for less.
CoffeeMeetsBagel told users in a breach notification email today that only names and email addresses prior to May 2018 were exposed.
It also informed users it had hired forensic security experts to review its systems and infrastructure. It also said that vendor and external systems are being audited for compliance issues or third party breaches. The company was continuing to make enhancements to detect and prevent unauthorized access to user information, it said.
It’s not known how the hackers accessed CoffeeMeetsBagel’s user account details, nor how they accessed user accounts from other companies whose information was being sold in the same bundle.
500px, a Canadian-based image-sharing site for photographers, had 1.5GB of data taken in July 2018. Nearly 15 million accounts were exposed.