A dating app for HIV-positive singles was recently informed that it was leaking highly sensitive information, leading to an extraordinary response from the site owners.
Researcher Chris Vickery discovered that nearly 5,000 user accounts on Hzone were exposing information including date of birth, relationship status, email address, orientation, number of children, username and password hash.
Sexual experiences, nicknames, photos and highly sensitive messages posted by users are also stored in the database, while those with premium accounts also provide name, address, phone number and credit card info.
“In other words, it’s a leak that could lead to identity theft, extortion demands, or embarrassment,” wrote Databreaches.net, whom Vickery contacted to share his story.
When it came five days later, the response from the app’s owners was bizarre to say the least:
“Why do you want to do this? What’s your purpose? We are just a business for HIV people. If you want money from us, I believe you will be disappointed. And, I believe your illegal and stupid behavior will be notified by our HIV users and you and your concerns will be revenged by all of us. I suppose you and your family members don’t want to get HIV from us? If you do, go ahead.”
The issue—which was with the MongoDB housing customer data—was finally addressed on Sunday.
However, Hzone appears not to know how many people may have accessed the data in the fortnight or longer it was exposed, and when asked if it would notify its customers, replied with the following:
“No, we didn’t notify them. If you will not publish them out, nobody else would do that, right? And I believe you will not publish them out, right?”
What’s more, the report reveals that the site doesn’t allow users to delete their profiles.
“If you know someone who might be using Hzone, you might want to point them to this post,” warned Databreaches.net.
“While anyone can have a leak or breach, Hzone’s failure to timely respond to notification, the lack of encryption for stored sensitive data, and their refusal to delete profiles when they have inadequate incident response are truly concerning.”
SOURCE: Phil Muncaster