With three high profile hacks within one year, are dating sites worth the risk?
Questions over the safety of online dating hacks may once have referred to not knowing the real identity of the person (or people) you are chatting to and personal safety, more recently attention has turned to the safety of users’ data.
The Ashley Madison attack in July 2015 revealed the sensitive data of 37 million people. Not only were their names, addresses and credit card details revealed to the world, but also the fact that these individuals were breaking social taboos by actively seeking to have an affair.
There were some who felt that Ashley Madison’s subscribers got what they deserved for seeking to cheat on their spouses and partners. Indeed, that seems to have been at least part of the motivation behind the hack, along with the CTO’s proclamation that the company’s “Full Delete” service completely erased all the data.
Earlier that year, hook-up site Adult Friend Finder was also hacked, with the personal details of nearly four million users leaked, including their IP addresses and dates of birth.
More recently, subscribers to elite dating site BeautifulPeople, which only allows people who are perceived to be highly attractive to subscribe, also had their details leaked online, including their income, address, relationship status and virtually every biometric data point imaginable, including weight, eye colour and hair colour.
While the site has been criticised for removing people for perceivedly being too old or not good looking enough, no one has come forward with a reason for why they hacked to site.
So what is the motivation for these hacks? And are those who use specialist sites – be they for ‘elite’ groups, people looking for an affair, or anything else – more at risk than those who use “vanilla” dating services?
“Dating sites contain a very high level of personal information, which can be very valuable in the wrong hands and quite embarrassing and damaging for those involved,” Rob Norris, director of enterprise and cybersecurity for EMEIA at Fujitsu, told IT Pro.
This goes beyond what is normally considered personal information in other hacks, such as full names, addresses and financial details, to also include sexual preferences and, in the case of BeautifulPeople, private messages between subscribers.
It is this kind of additional information that makes these kinds of attacks so serious and introduces a unique set of repercussions.
“The Ashley Madison hack has illustrated the value of the data stored on these websites, and also the high potential for everything from blackmail to causing trouble for the sake of it,” Jovi Umawing, malware intelligence analyst at Malwarebytes, said.
“As we’ve seen with reports of suicide related to the Ashley Madison hack, the consequences can be devastating,” Umawing added.
Are dating sites, specialist or not, necessarily targeted more frequently than other sites, though? According to David Emm, principal security researcher as Kaspersky Lab, the answer is not necessarily.
While they are a data-rich target for cyber criminals, they are also a salacious one for the media to report on.
“By their nature, dating sites certainly draw a lot of media interest – whether they are launching a new feature or have suffered a cyber attack,” said Emm.
Even within the field of dating sites, there is a hierarchy of what will generate the most coverage.
“Ashley Madison was given a lot of attention simply because of its members intentions,” said Emm.
Norris agreed. “[Hacks] can and will happen to ‘normal sites’, but without an angle like BeautifulPeople or people having affairs, it is a less newsworthy story,” he said.
Perhaps unlike other website categories, though, for dating sites the user can do little to protect themselves, with everything resting in the hands of the provider.
“Site users are at a disadvantage here, because anybody filling in dating sites with fake information is not likely to be very successful in meeting a potential match,” said Malwarebytes’ Umawing, whose view is backed up by Kaspersky’s Emm.
“There is very little customers can do to affect the security of the online providers’ infrastructure,” he said.
What does that mean, then, for dating sites?
IT Pro contacted dating site Elite Singles to find out how it is protecting its users and whether online dating is safe.
“What happened in [the case of BeautifulPeople was, it appears, a preventable lack of database protection,” a spokesperson told IT Pro.
“In terms of overall safety of online dating websites, the risk is similar to using many online services. Naturally, no IT system can be 100 per cent secure. However, we employ a number of methods to ensure a very high level of data security.
“For example, our servers have extremely effective firewalls and our database is protected against access from outside of our network and accessible only via encrypted keys,” the spokesperson added.
But users are not completely at the mercy of dating service providers.
Returning to the old advice that people should be cautious with online dating, and citing the many false profiles revealed through the Ashley Madison hack, Emm advised: “It’s … vital not to trust people online automatically. There’s no way to identify someone’s true appearance or motives through the messages they’re exchanging with you.”
He added: “Linking your Facebook or Instagram profile with an online dating app can be problematic, especially in the hands of burglars or fraudsters. If you happen to ‘match’ with someone with ill intent, they’re able to gain access to your social media pages, which are more likely to include addresses, pictures and more personal information.”