Folks looking for love on dating app Coffee Meets Bagel (CMB) might match with people worse than a bad date – scammers, after a reported massive data breach.
Although it made the announcement on Valentine's Day, the company revealed that it had discovered the breach on Feb 11, disclosing that an unauthorised party gained access to a partial list of user details, including names and email addresses.
While it didn’t reveal the number of users who were affected by the breach, it stated that users who registered on the app before May 2018 had their names and email addresses leaked.
"We would like to make sure you have the facts about what happened, what information was involved, and the steps we are taking to help protect you," CMB said in a statement.
It assures that financial information and passwords are never stored on the app and that measures are being taken to determine the nature and scope of the problem.
Among them are engaging forensic security experts to review its systems and infrastructure, auditing vendor and external systems for any compliance issues or third party breaches, monitoring for suspicious activity, coordinating with law enforcement authorities, plus enhancing its systems to detect and prevent unauthorised access to user information.
CMB urges users to take extra caution against unsolicited messages asking for personal data and to avoid clicking on links or downloading attachments from suspicious emails.
"The security of your information is important to us, and we apologise for any inconvenience this may have caused you," it says.
The leak is part of a larger data breach of 617 million account details stolen from 16 apps including Dubsmash, MyFitnessPal, MyHeritage and more.
The Register reports that the data is being sold on the dark web for less than US$20,000 (RM81,610) in Bitcoin.
A test by the site suggests the data is legitimate, consisting mainly of account holder names, email addresses, and passwords.
The report further states that the passwords are hashed and must therefore be cracked before they can be used. It adds that depending on the hacked app, some additional information might be available like user location, and social media authentication tokens, though no payment or banking details appear available at the moment.