Instead of finding love or getting lucky on Valentine’s Day, users of dating app Coffee Meets Bagel (CMB) instead found out that their personal data might have leaked online for sale.
The Register reported that a dealer on dark web site Dream Market had been selling over 617 million account details pilfered from apps such as Dubsmash, MyFitnessPal and Coffee Meets Bagel — all popular apps in Singapore. The asking price for all that stolen data? Less than $20,000 in bitcoin.
So far, at least one individual has bought the leaked Dubsmash data. Though one would wonder what’d someone could do with the accounts of a lip sync-focused video message app that’s now considered second-rate to TikTok.
But back to CMB. Originating from San Francisco in 2012, it’s one of the more popular dating apps in Singapore alongside the likes of Tinder, Bumble, and OkCupid. With over 2.5 million introductions made among Singaporean singles with the app in a span of one year, the leak should be worrying to anyone who registered under the app. Six million CMB accounts are now potentially compromised.
According to The Register, 673MB of data had been stolen within the period of late 2017 to mid-2018, with each account record containing a full name, email address, age, gender, and registration date. The data package is selling for cheap: $468 worth of Bitcoin.
Fortunately, financial information in the dating app — CMB has an in-app currency of “beans” to unlock special features — have not been compromised, according to an email sent out to users. CMB assured that it has engaged forensic security experts to review its systems and root out how the leak happened.
Coffee Meets Bagel decides to tell users it suffered a data breach…. on Valentine’s Day. 💔 pic.twitter.com/VRNFYlvEJE
— Donie O’Sullivan (@donie) February 14, 2019
It should go without saying that the users of the affected apps — Dubsmash, MyFitnessPal, MyHeritage, ShareThis, HauteLook, Animoto, EyeEm, 8fit, Whitepages, Fotolog, 500px, Armor Games, BookMate, CoffeeMeetsBagel, Artsy, and DataCamp — should change their passwords now.
