Popular dating app Coffee Meets Bagel has sent its users an email notifying them that their data may have been “acquired by an unauthorized party.”
The news comes days after a massive database containing the information of around 6.2 million Coffee Meets Bagel users showed up on the Dark Web. Users received notice of the breach (ironically) on Feb. 14, in an email which was shared with Threatpost.
Coffee Meets Bagel is a popular San Francisco–based dating and social networking website. The app looks at each user’s Facebook account to help pick out potential matches for them.
“With online dating, people need to feel safe. If they don’t feel safe, they won’t share themselves authentically or make meaningful connections. We take that responsibility seriously, so we informed our community as soon as possible—regardless of what calendar date it fell on—about what happened and what we are doing about it,” a Coffee Meets Bagel spokesperson told Threatpost.
In the notification, Coffee Meets Bagel said that the dating app learned of the breach on Feb. 11. Names and email addresses that were added to the system prior to May 2018 were impacted.
“On February 11, 2019, we learned that an unauthorized party gained access to a partial list of user details. Once we became aware, we quickly took steps to determine the nature and scope of the problem,” the notification reads.
The database containing millions of records appeared and was on sale from Monday on the Dark Web, as part of a larger sale of 617 million online account details stolen from 16 hacked websites, according to the Register. Other victim websites included Dubsmash, Armor Games, 500px, Whitepages and ShareThis, among others.
According to that report, all 6,174,513 accounts were for sale for 0.13 BTC, or $468. That includes data siphoned between late 2017 and mid-2018, including full names, email addresses, age, registration date and gender.
Coffee Meets Bagel confirmed to Threatpost that its breach is indeed linked to the database found on the Dark Web, and that up to 6 million users were impacted.
Coffee Meets Bagel said in the notification that it doesn’t store any financial information or passwords. It also said that it has engaged forensic security experts to conduct a review of its systems and architecture.
“As always, we recommend you take extra caution against any unsolicited communications that ask you for personal data or refer you to a web page asking for personal data,” the notification reads. “We also recommend avoiding clicking on links or downloading attachments from suspicious emails.”
As of this writing, there is no notice of the data breach on Coffee Meets Bagel’s website.
Valentine’s Day Woes
This Valentine’s Day, the security space has seen a week riddled with scams and vulnerabilities targeting people flocking to dating sites. Most concerningly, a critical flaw in the OkCupid app was been disclosed on Thursday that could allow a bad actor to steal credentials, launch man-in-the-middle attacks or completely compromise the victim’s application.
Earlier this week in a separate incident, OKCupid denied a data breach after reports surfaced of users complaining that their accounts were hacked.
And, in a new advisory published on Tuesday, the Federal Trade Commission warned that reports of internet romance scams are rising as cyber criminals gain the confidence of their victims and trick them into sending money. In fact, last year, people reported losing $143 million to romance scams – a higher total than for any other type of scam reported, according to the FTC.
“These types of scams will not be disappearing anytime soon. Certain times of the year, Valentine’s Day included, bring out both the best and the worst in us,” said Anupam Sahai, vice president of product management at Cavirin, via email. “Given the emotions, it is no surprise that romance scam losses, averaging $2600 each, are 7x greater than most other frauds. There are many websites with recommended best practices. Follow them! And if you have susceptible friends or family, lend them a hand.”