Singaporeans hit by dating app leak, data of 6 million users for sale on dark web

PHOTO: Pixabay

Millions of people looking for love received a rude Valentine's Day gift yesterday in the form of an e-mail from Coffee Meets Bagel (CMB).

The users of the popular dating platform were informed that their account data may have been stolen by an "unauthorised party".

The data, which includes names and e-mail addresses of more than six million CMB users, has been put on sale on the dark web for 0.13 Bitcoin, or about $600.

CMB, a mobile dating app company based in San Francisco in the US state of California, was launched in April 2012.

It is popular in Singapore, with CMB previously claiming it had made 1.6 million matches, with 28 million messages sent by users here in 2017.

Users are matched based on their interests and can contact each other only on the app after "liking" each other's profiles.

Users of Coffee Meets Bagel were informed that their account data may have been stolen by an "unauthorised party".Photo: Coffee Meets Bagel 

In 2016, CMB claimed that 100,000 users became couples via the app, and that 60 per cent of users were female.

In its e-mail to users yesterday, CMB said the stolen data was from before May 2018.

Technology news site The Register reported that 673MB of data from 6,174,513 CMB accounts is being hawked online.

It is not known how many of them were from Singapore.

CMB said it learnt of the incident on Monday and apologised for any inconvenience.

"We recommend you take extra caution against any unsolicited communications that ask you for personal data or refer you to a web page asking for personal data," CMB added.

"We also recommend avoiding clicking on links or downloading attachments from suspicious e-mails."

CMB said that it had taken action by engaging forensic security experts to conduct a review, and it is auditing and reviewing its vendor and external systems.

Users in Singapore who received the e-mail told The New Paper the breach is likely to adversely affect only those with something to hide.

A communications executive who wanted to be known only as Miss Luo, 24, said: "It was quite surprising to receive the e-mail, but I think it will affect only those who have something to hide or if the breach involved more personal information like photos or occupation."


Another user, who wanted to be known only as Mr Sng, 26, said: "In today's dating culture, using social apps is no longer a stigma, or at least it shouldn't be. It is a way to connect with people using technology."

The CMB data was part of a much larger collection being hawked on the dark web by a single seller, who boasted of having a stolen data haul of some 617 million accounts from several platforms.

They included video messaging app Dubsmash and photography networking app 500px.

Mr Tom Kellermann, chief cyber security officer of US cyber security firm Carbon Black, told TNP that mobile apps such as CMB possess "a slew of personal data and information" that can be sold in underground markets or held for ransom.

"Attackers follow the money and follow the data," he said.

"Mobile operating system creation and app development must make cyber security a top priority, and consumers should be sure to always patch their devices and update to the latest software."

In August 2015, hackers leaked the account details of some 30 million users on Canada-based infidelity website Ashley Madison.

Several suicides were reportedly linked to the breach, including that of an American pastor.

Avid Life Media, its parent company, later agreed to settle two dozen lawsuits stemming from the breach for more than $15 million.

Lawyer Ravinderpal Singh of Kalco Law told TNP that those affected could take legal action against CMB if it has representation in Singapore, such as an office.

He said: "Such an incident may amount to a breach in Singapore, and so those affected can engage lawyers to file a civil suit."

But he noted that complications may arise.

"The person suing will have to show loss or damage, such as being fired or adversely affected as a result of the leak, so it might be impractical," he said.

"The person will be in the public eye, and that may be more damaging than the leak itself."

This article was first published in The New Paper. Permission required for reproduction.