MobiFriends data breach: 3.68 million credentials exposed online

Dating app MobiFriends suffers a data breach – personal information of almost 4 million users affected

MobiFriends data leak

MobiFriends data leak

A massive upload of data that belongs to MobiFriends users was found on a high-profile underground hacking forum and is now available to download. The leak was discovered by the RiskBased Security research team, which posted about it on May 7,[1] although its developer, Mobifriends Solutions, did not yet announce the data breach. According to publication, around 3.68 million users’ data was stolen, and it includes information such as emails, usernames, hashed passwords, and other personal details.

Spain-based MobiFriends is an Android dating app that allows users to register their profiles and look for new friends or romantic partners, chat, share hobbies, and perform other social networking activities via their mobile devices. According to Linkedin, MobiFriends was founded in 2005 and currently employs between 11-50 employees.[2]

RiskBased Security team said that the stolen data was initially available for sale, but can now be found on several sources for free. This allows malicious actors or cybercriminal groups to abuse personal information of millions of individuals, exposing them to severe security risks.

Breach attributed to data leak which occurred back in January 2019

According to RiskBased Security research, the personal information of 3,688,060 MobiFriends users was first posted on the “prominent deep web hacking forum” on 12 January 2020 by an unknown actor, “DonJuji.” It remained for sale until 12 April 2020, when the data listings were posted on other sources, this time without restrictions. RiskBased Security experts performed several checks to ensure that the data is valid and not simply a hoax.

Despite this, there is no information on how the attackers managed to breach the MobiFriends app in the first place, as there could be several possibilities, such as security vulnerability within the API, or one of the employees’ credential compromise, which allowed unauthorized access to the database.[3]

Researchers believe that the information is found in the data dump comes from a massive breach that occurred a year prior – in January 2019. Back then, Troy Hunt, the owner of “Have I Been Pawned,” initially discovered a collection of almost 773 million records.[4] This discovery quickly followed by subsequent data batches, a total of which contained 2.2 billion usernames and associated passwords.[5]

Security researchers say that stolen data record “stash” is constantly increasing, basing it on the 2020 Q1 report:

Risk Based Security has found that the number of records exposed in data breaches disclosed in 2020 Q1 has skyrocketed to a record 8.4 billion – a 273% increase. Approximately 70% of 2020’s reported breaches were due to unauthorized access to systems or services and attackers are opting to steal access credentials in the form of passwords in combination with email addresses or usernames.

Affected users are susceptible to targeted phishing attacks and other risks

While the leaked information does not contain any sensitive details like explicit photos, private conversations, and other compromising material considering the nature of the MobiFriends app, the stolen data is still highly personal and can result in various negative events for the consumers.

Posted listings contain the following information about MobiFriends users:

  • Email addresses
  • Usernames
  • MD5 hashed passwords
  • Phone numbers
  • Dates of birth
  • Gender infomration
  • Website activity logs.

RiskBased Security team said that some emails from the exposed data belong to users from high profile companies, such as Virgin Media, Experian, Walmart, American International Group (AIG), and many other Fortune 1000 companies. The implications of the email compromise of one of the employees could be devastating, as the attackers could use the data to breach the company by using spear-phishing or other attack vectors.

Additionally, while passwords were hashed, it does not mean that they are secure from being exposed due to a weak encryption method:

The MD5 encryption algorithm is known to be less robust than other modern alternatives, potentially allowing the encrypted passwords to be decrypted into plaintext.

Individuals who registered with MobiFriends should immediately reset their passwords within the app. Additionally, the password should also be changed for other accounts that it was used for.