The personal details of 3,688,060 users registered on the MobiFriends dating app were posted online earlier this year and are now available for download on numerous online forums.
ZDNet reports the data was obtained in a security breach that took place in January 2019, according to a hacker who initially put the data up for sale on a hacking forum.
According to ZDNet, the data does not contain any private messages, images, or sexual-related content, but does include sensitive details, such as passwords, email addresses, mobile numbers, dates of birth, gender information, usernames, and app/website activity.
Risk Based Security (RBS), US cybersecurity company that first spotted the data online last month, told ZDNet that they verified the validity of the data against the official MobiFriends website. "Moreover, the data leak contains professional email addresses related to well-known entities including: American International Group (AIG), Experian, Walmart, Virgin Media, and a number of other F1000 companies," RBS said.
Fausto Oliveira, Principal Security Architect at Acceptto, says that in this day and age, passwords have become a thing of the past. "There isn't any technical obstacle that would prevent us from moving from a username/password combination to a more secure passwordless multi-factor authentication (MFA). Honestly, passwords should not be used anymore, period," Oliveira notes. "The fact that threat actors were able to access the data in the first place, and went undetected until the data appeared on the Internet, raises questions about how strong the security controls were that protected that data. Now that the data has gone to the public domain, those affected users have their information in the possession of multiple threat actors that presumably are going to use that data to perform password spraying attacks.”
Isabelle Dumont, Vice President of Market Engagement at Cowbell Cyber, adds that until they have experienced a breach, "businesses underestimate recovery expenses, starting with the mandatory notification of the millions of users impacted. This is why cyber insurance, as a financial loss and expenses mitigation solution is a must-have next to cybersecurity tools.”
Terence Jackson, Chief Information Security Officer at Thycotic, notes that the MobiFriends data breach just reinforces that consumers need to utilize a password managers to generate unique passwords for each site or service they access online. :Hackers thrive on leaked or stolen credentials and password reuse the gain access to more personal data. The incident can also be used to reinforce security awareness training for employees and acceptable use of the corporate email addresses.”