Millions of users of the dating site MeetMindful got some unpleasant news on Sunday. ZDNet reported that the hacker group ShinyHunters, the same group who leaked millions of user records for the company that listed the “Camp Auschwitz” shirts, has dumped what appears to be data from the dating site’s user database. The leak, which was confirmed by the company, purportedly contains the sensitive information of more than 2.28 million of the site’s registered users.
According to ZDNet, the 1.2 gigabyte file was shared as a free download “on a publicly accessible hacking forum known for its trade in hacked databases.” The company said the leaked information included first names, and in some cases last names; emails; encrypted passwords and other credentials, which it said were not able to be accessed; basic account details including city, state, date of the account’s creation and last active dates; some birthdays; and email and other notification preferences.
MeetMindful stated that no passwords, photos, conversations, matches, credit card data, or other financial information was leaked. It added that no personal information relating to matches, such as messages, photos, favorites, or user views, was released.
The outlet, which included screenshots of the file posted to the hacker forum as well as a small sample of the data exposed, highlights that not all the leaked accounts include the user’s full details. Nonetheless, it stated that the information leaked could be used to link individuals’ dating profiles to their real-world identities. The hacking forum where the data was posted has been viewed more than 1,500 times. Per the outlet, it is still available for download.
ZDNet said it was informed of the leak by a security researcher, who it did not name, earlier this week. It added that it had contacted MeetMindful on Thursday to ask for a comment on the matter but had not received a response for days.
Gizmodo got in touch with MeetMindful on Sunday and was pointed to an article by co-owner Keith Gruen on the company’s response. Gruen said that a “well-known hacker” posted user information from several companies on Jan. 20, including MeetMindful, and apologized for the breach.
“We are deeply sorry that this has happened, and want to be as candid and transparent as possible about what occurred, who was affected, and how we’re moving forward,” Gruen wrote.
Gruen said the hacker exploited a now-closed vulnerability in its system and was thus able to export an outdated version of a list of basic user information. The breach affected users who signed up for MeetMindful before March 2020, the company explained. Users who created an account after March 2020 or have updated their account details since March 2020 were not affected.
The company stated that it had brought brought in “additional development resources to ensure future safety.” It also said that he had reached out to all likely affected users and was actively reviewing its systems and procedures to ensure that this didn’t happen again.
“We have increased our level of security on all servers and within our application. This may result in slow access times or firewall checks for some user,” Gruen said.
According to its Crunchbase profile, MeetMindful is a dating site platform for “people who are into health, well-being, and mindfulness.” It was founded in 2013, is based in Denver, Colorado, and is still active.
Here’s where it starts to get a little strange, though. The site’s listed social media channels have been inactive for months, which is interesting considering that major dating apps have been growing during the pandemic. I mean, don’t they want to encourage their users to date (safely)? From the outside, the service seems like dead zone. Who knows though, it could be all the rage inside the site itself.
In the company’s post, Gruen did not comment on the amount of users affected by the hack. He advised users to reset their passwords to add additional security to their accounts and not to respond if they get a text or email asking for their account numbers or passwords. MeetMindful will never ask users to share personal information in an email or text, Gruen said.
Gizmodo asked Gruen if he could specify the number of users affected, but he said that the company was not commenting publicly on the extent of the breach. Nonetheless, Gruen stated that the number of affected users being reported, or the 2.28 million cited by ZDNet, was substantially higher than reality. At least double, he added.
When asked whether it was true that Facebook user IDs and authentication tokens had also been accessed, Gruen confirmed that there was expired Facebook data in the breach, specifically long-expired tokens that MeetMindful used when users created an account via Facebook. MeetMindful no longer lets users create an account using Facebook, he said, highlighting that tokens typically have a 60-day maximum lifecycle.
“The released data is greater than six months old, and our Facebook integration was also removed well over 60 days ago, so we have no outstanding concerns about this at present, as each of these tokens has expired, removing any potential for improper use,” Gruen said.
Update 1/25/2021, 9:40 a.m. ET: This post has been updated with additional information from MeetMindful.
Update 1/26/2021, 6:00 p.m. ET: We have added more comments from the company regarding the number of people affected by the hack and whether Facebook data was also accessed.