Hack Brief: Site For ‘Beautiful’ People Suffers Ugly Million-Member Breach
BeautifulPeople.com, you may remember, is a dating site that allows members to vote on hopeful enlistees based on their looks, ensuring that people who belong meet certain standards of both attractiveness and shallowness. It bills itself as “a dating site where existing members hold the key to the door.” Turns out, the site maybe should have put them in charge of server security, as well. The personal data of 1.1 million members is currently for sale on the black market, after hackers took it from an insecure database.
Last December, security researcher Chris Vickery made a curious discovery while browsing through Shodan, a search engine that lets people look for internet-connected devices. Specifically, he was looking through the default port designated for MongoDB, a type of database-management software that, until a recent update, had blank default credentials. If someone using MongoDB didn’t bother to set-up their own password they would be vulnerable to anyone just passing through.
“A database came up called, I believe, Beautiful People. I looked in it, and it had several sub-databases. One of those was called Beautiful People, and then it had an accounts table that had 1.2 million entries in it,” says Vickery. “When that type of thing comes up and it’s called ‘Users,’ you know you’ve hit something interesting that shouldn’t be available.”
Vickery informed Beautiful People that its database was exposed, and the site quickly moved to secure it. Apparently, though, it didn’t move quickly enough; at some point, the dataset was acquired by an unknown party, which is now selling it on the black market.
For its part, Beautiful People has attempted to explain away the breach by saying it only affected a “test server,” as opposed to one in use for production, but that’s a meaningless distinction, says Vickery.
“It makes no effing difference in the world,” says Vickery. “If it’s real data that’s in a test server, then it might as well be a production server.”
If you were a Beautiful People member before last Christmas—the vulnerability was addressed on Dec. 24—you may well be! You can check for sure at HaveIBeenPwned, a site operated by security researcher Troy Hunt.
How Serious Is This?
In terms of scale, it’s nowhere near as bad as last year’s 39 million-member Ashley Madison hack. The information that’s leaked also isn’t quite as devastating as being outed as an active adulterer, and Beautiful People says no passwords or financial data were exposed.
Still, as you might imagine, a dating site knows a whole lot about you that you might not want broadcasted to the world. Forbes, which first reported the breach, notes that it includes physical attributes, email addresses, phone numbers, and salary information—over “100 individual data attributes,” according to Hunt. Not to mention millions of personal messages exchanged between members.
Even more serious, perhaps, is the issue of database security at large. Until MongoDB improved security with version 3.0 last spring, says Vickery, its default was to ship its software with no credentials required at all.
That’s not ideal, but the onus is still on companies like Beautiful People to put in the effort to lock down the sensitive information with which they’re entrusted. Especially since it’s so easy to do so.
“A trained monkey could have protected [this database],” says Vickery. “That’s how easy it is to protect. It’s an incredible oversight, it’s massive negligence, but it happens more often than you think.”
Whatever you may think of a site like Beautiful People, the insecurities that prop it up shouldn’t extend to its stash of sensitive data.
See original article: