Last week, while on vacation, I received a Valentine’s Day email. It was from a dating app I had downloaded for work when I interviewed Dr Mike, Coffee Meets Bagel (CMB).
The email didn’t offer to match me up with anyone—it informed me that my data “may have been acquired by an unauthorised party”.
The email went on to say that the unauthorised party had gained access to “a partial list of user details”, including names and email addresses prior to May 2018.
But I wasn’t the only one affected. More than six million CMB users, including other Singaporeans, had their data hacked and put on sale on the dark web for 0.13 Bitcoin, or about $600. (Is that why my Netflix account was hacked last week?!)
CMB, a mobile dating app company based in San Francisco in the US state of California, was launched in April 2012.
It is popular in Singapore, with CMB previously claiming it had made 1.6 million matches, with 28 million messages sent by users here in 2017.
Users are matched based on their interests and can contact each other only on the app after “liking” each other’s profiles.
In 2016, CMB claimed that 100,000 users became couples via the app, and that 60 per cent of users were female.
Technology news site The Register reported that 673MB of data from 6,174,513 CMB accounts is being hawked online.
It is not known how many of them were from Singapore.
CMB said it learnt of the incident on Monday and apologised for any inconvenience.
“We recommend you take extra caution against any unsolicited communications that ask you for personal data or refer you to a web page asking for personal data,” CMB added.
“We also recommend avoiding clicking on links or downloading attachments from suspicious e-mails.”
CMB said that it had taken action by engaging forensic security experts to conduct a review, and it is auditing and reviewing its vendor and external systems.
Users in Singapore who received the e-mail told The New Paper the breach is likely to adversely affect only those with something to hide.
A communications executive who wanted to be known only as Miss Luo, 24, said: “It was quite surprising to receive the e-mail, but I think it will affect only those who have something to hide or if the breach involved more personal information like photos or occupation.”
Another user, who wanted to be known only as Mr Sng, 26, said: “In today’s dating culture, using social apps is no longer a stigma, or at least it shouldn’t be. It is a way to connect with people using technology.”
The CMB data was part of a much larger collection being hawked on the dark web by a single seller, who boasted of having a stolen data haul of some 617 million accounts from several platforms.
They included video messaging app Dubsmash and photography networking app 500px.
Mr Tom Kellermann, chief cyber security officer of US cyber security firm Carbon Black, told TNP that mobile apps such as CMB possess “a slew of personal data and information” that can be sold in underground markets or held for ransom.
“Attackers follow the money and follow the data,” he said.
“Mobile operating system creation and app development must make cyber security a top priority, and consumers should be sure to always patch their devices and update to the latest software.”
In August 2015, hackers leaked the account details of some 30 million users on Canada-based infidelity website Ashley Madison.
Several suicides were reportedly linked to the breach, including that of an American pastor.
Avid Life Media, its parent company, later agreed to settle two dozen lawsuits stemming from the breach for more than $15 million.
Lawyer Ravinderpal Singh of Kalco Law told TNP that those affected could take legal action against CMB if it has representation in Singapore, such as an office.
He said: “Such an incident may amount to a breach in Singapore, and so those affected can engage lawyers to file a civil suit.”
But he noted that complications may arise.
“The person suing will have to show loss or damage, such as being fired or adversely affected as a result of the leak, so it might be impractical,” he said.
“The person will be in the public eye, and that may be more damaging than the leak itself.”
Text: David Sun / The New Paper / February 2019
Additional text: Hidayah Idris