BeautifulPeople.com Leak Exposes 1.1M Extremely Private Records

Use Netsparker


So another data breach, and no surprise here, but another dating site. This time the BeautifulPeople.com Leak has exposed 1.1 million customer records, including 15 million private messages sent between users.

Not so private now is it.

BeautifulPeople.com Leak Exposes 1.1M Extremely Private Records

And no surprise either the entry point for this leak, was the not-so excellent NoSQL database MongoDB which has amazing passwordless defaults and listens on ALL network interfaces rather than binding to localhost.

Sexual preference. Relationship status. Income. Address. These are just some details applicants for the controversial dating site BeautifulPeople.com are asked to supply before their physical appeal is judged by the existing user base, who vote on who is allowed in to the “elite” club based on looks alone. All of this, of course, is supposed to remain confidential. But much of that supposedly-private information is now public, thanks to the leak of a database containing sensitive data of 1.1 million BeautifulPeople.com users. The leak, according to one researcher, also included 15 million private messages between users. Another said the data is now being sold by traders lurking in the murky corners of the web.

But the information – which now appears to be real user data despite being hosted on a non-production server – was taken by one or more less-than-scrupulous individuals before the lockdown, making it out into the dirty world of data trading this year. That’s according to Troy Hunt, an Australian security expert who runs the website HaveIBeenPwned.com, where people can check if their own information has been leaked in some of the biggest breaches in recent memory, from Adobe to Ashley Madison.


It seems like the records are for sale on the shadier parts of the web and actively being traded by those who trade these kind of things. Fortunately payment details weren’t leaked, and passwords were encrypted.

So it’s a privacy issue more than a financial loss or threat, but as always this kind of info is a goldmine for social engineering, blackmail and identity theft.

Two BeautifulPeople.com users confirmed their information was in the leaked database, which also contained encrypted passwords. They shared their entries as found in the database, which showed an entry for descriptions of themselves, revealing more private details about their personal lives. One confirmed the latitude and longitude details were correct, pointing to Cambridge, UK, where they’d signed up.

BeautifulPeople.com, which brags about being “the largest network of attractive people in the world”, has courted controversy in the past by removing thousands of users from the service for not being attractive enough. In 2009, it boasted 1.8 million “ugly people” had been denied access to the site. In 2010, 5,000 were culled after gaining too much weight over a festive break. Last year, weight gain and ageing led to another 3,000 being thrown out.

Today, the company re-sent its original statement on the breach, first received by FORBES in December. “We can confirm we were notified of a breach on December 24th of 2015 of one of our MongoDB test servers. This was a staging server and not part of our production data base. The staging server was immediately shut down.” The company claimed all affected members were informed of “the vulnerability” in December, whilst noting passwords were encrypted and no financial data was exposed.

The user data apparently is only for users that signed up and were active before July 2015, anyone who joined after that shouldn’t be affected.

And yah, be careful with your staging servers – don’t have production data on them unless you absolutely have to (which honestly you don’t). You can mock whatever data structures you need to develop on it.

And don’t use MongoDB.

Source: Forbes

Posted in: Exploits/Vulnerabilities, Privacy, Web Hacking

, , ,


Latest Posts:


CloudFrunt - Identify Misconfigured CloudFront Domains CloudFrunt – Identify Misconfigured CloudFront Domains
CloudFrunt is a Python-based tool for identifying misconfigured CloudFront domains, it uses DNS and looks for CNAMEs which may be allowed to be associated with CloudFront distributions.
Airbash - Fully Automated WPA PSK Handshake Capture Script Airbash – Fully Automated WPA PSK Handshake Capture Script
Airbash is a POSIX-compliant, fully automated WPA PSK handshake capture script aimed at penetration testing, it is compatible with Bash and Android Shell.
XXEinjector - Automatic XXE Injection Tool For Exploitation XXEinjector – Automatic XXE Injection Tool For Exploitation
XXEinjector is an XXE Injection Tool that automates retrieving files using direct and out of band methods. Directory listing only works in Java applications.
Yahoo! Fined 35 Million USD For Late Disclosure Of Hack Yahoo! Fined 35 Million USD For Late Disclosure Of Hack
Ah Yahoo! in trouble again, this time the news is Yahoo! fined for 35 million USD by the SEC for the 2 year delayed disclosure of the massive hack, we actually reported on the incident in 2016 when it became public.
Drupwn - Drupal Enumeration Tool & Security Scanner Drupwn – Drupal Enumeration Tool & Security Scanner
Drupwn is a Python-based Drupal Enumeration Tool that also includes an exploit mode, which can check for and exploit relevant CVEs.
MyEtherWallet DNS Hack Causes 17 Million USD User Loss MyEtherWallet DNS Hack Causes 17 Million USD User Loss
Big news in the crypto scene this week was that the MyEtherWallet DNS Hack that occured managed to collect about $17 Million USD worth of Ethereum in just a few hours.


6 Responses to BeautifulPeople.com Leak Exposes 1.1M Extremely Private Records

  1. Mariusz April 28, 2016 at 7:53 pm #

    C’mon, it wasn’t Mongo problem, but a stupid administrator who doesn’t know that default settings are usually not the best choice.

    • Darknet April 29, 2016 at 11:54 am #

      So why is necessary to listen on all interfaces by default? No other DB does that, that would have solved all these problems, binding to localhost by default like every other sane piece of software.

      • unknow April 29, 2016 at 3:01 pm #

        Sorry but by default MongoDB only listening on localhost….

        Stupid SysAdmin =/= Bad Database

        • Darknet April 29, 2016 at 6:31 pm #

          Only recently they’ve fixed that, and that’s not the only problem with MongoDB. Yah it’s an oversight by the sys-admin too, but MongoDB is terrible, we stopped using it in production 4 years ago and haven’t missed it at all.

      • Dave May 2, 2016 at 1:54 pm #

        MySQL listens on all interfaces by default.