The MeetMindful dating site was hacked and the details of its 2.8 million customers were leaked online. The whole database is now free to download. So what? You might say. I’m not a member of the site, what do I have to worry about? Well, possibly nothing, but it’s naïve to think that any hack occurs in a vacuum and that it could not reach out to influence your life. This can be especially true when dating sites are hacked. In this post, I propose to explain how a hack on an obscure dating site can still change your life, even if you are not a member.
Here is a copy of what data is available to anyone who wants to download it.
So, if I have this information, I know your real name, your email, your date of birth, the city you live in, and the username you use on the site. On the surface, this may seem quite innocuous, but is it really?
I used some of the information from this breach to see what else I could learn about the people on this site. Using my favorite hacking tool, Google Search, I was able to find LinkedIn, Twitter, Instagram, and Facebook profiles. I learned where people worked and who they knew. In short, I had plenty of information for a good spearphishing attack.
First of all, there seems to be nothing stopping me from setting up an account on MeetMindful. Yes, I need to supply an email address, but I can get one that I’d use only for the scam. You need one to receive your confirmation email. (see Temp Mail.)
The easiest scam to use with such data is the romance scam. To begin this scam, I would get a photo of a good-looking guy (or girl) who was roughly the age of the profile I created on the dating site. I’d be targeting older women because they are statistically easier to trick with romance scams. (However, tricking wealthy men is always an option.) I would make my profile picture one that was mature enough to be reasonable. The idea of Justin Bieber contacting a 70-year-old woman with words of love may be difficult to believe except by the most deluded. I would also target a woman who seemed to have a well-paying job. Remember, my real objective is not romance but money. LinkedIn profiles can help me in this regard.
I may not even need to open a MeetMindful account at all. I had the potential victim’s email address so I could send them a message expressing interest in their profile that I happened to see online. If pressed, I could admit to having a MeetMindful dating profile but that I was not sure I trusted the site. After all, it had just been hacked, right? I might direct them to a fake Facebook site that I had set up for scamming. My fake profile picture or one of the same person, would be there. I would then be in a position to launch the scam. For those who wish to know more about how these scams operate, go here.
The next most profitable scam I could perpetrate would target companies. With the information I have, I may be able to find individuals or contractors connected to a corporate network. I would have to masquerade as one of them and send the target a reasonable attachment such as an invoice. The attachment would, of course, contain malware which would allow me access to the corporate network. From this point, I have several options. I could ask for valid-looking money transfers, I could try to steal bank login credentials, or I could launch a ransomware attack. I could try to get important data that I could sell, but that’s more complicated and would leave me more exposed to law enforcement. Remember, I just want to make some easy money.
Dating site data leave its members vulnerable to extortion scams. The database shows, for example, that 3590 married people were seeking relationships outside of their marriages. Now, maybe some have the blessings of their spouses, but the chances are that at least some of them would not want their significant other to learn about what they were doing Of course, since I have their Facebook accounts, I could threaten to release this information to all of their contacts or business associates, Certainly some of them may pay to keep the information under wraps.
Most sextortion scams are bluffs. No, the person does not have incriminating photos or videos of you. However, these scams may have more credibility on a dating site, after all, who knows what else they hacked into? No emails or messages were exposed in this hack. No photos were accessed. However, I would be able to glean photos from other social media sites even if they were not incriminating. Any photos would add more to my credibility and my chances to make money.
But all of this does not address how those not on the site can be scammed. Have you ever got an email or message from a friend saying something like, “if you get a message claiming it comes from me, ignore it.” Had you not ignored it, you would have been hacked. Well, in such a case, you were probably a victim of someone else being hacked and their contacts being exploited. More sophisticated versions of this kind of attack happen if the hacker can actually get control of a social media site. This is often done by sending an email to the target telling them to reset their password and then leading them to a fake login page. The hacker, then, gets their real password, signs into the site, changes their password and thereby controls the site. They have, in a sense, become the person they victimized. Now, whatever message they send out to contacts seems to legitimately come from the victim’s social media page, because it does.
It is also not unknown for contacts of dating site hack victims to be targeted for romance scams. Even though these people may not be on the hacked dating site, a short investigation could show if they could be enticed into a scam relationship. This is especially true of social media friends who may be sharing more information with other friends who they believe to be secure contacts.
In short, data stolen during dating site hacks can lead to an array of problems, not only for the people on the site, but for friends and contacts of these people. This includes companies the person may either work for or be affiliated with. The recent MeetMindful hack is especially dangerous because the data from it was openly distributed to anyone who wanted to use it to craft a hack.
MeetMindful has released information on the hack of its site. The most important thing they tell victims to do is to change their passwords. My question is, why? These passwords are encrypted with bcrypt and, even if the hacker had good computers, these passwords would take years to crack. In other words, the ‘change password’ bromide is, at best, window dressing and, at worst, stupid. For psychological reasons, people may simply feel good about changing a password.
Some people may leave the site, but most will probably stay. Hackers still have all of their basic information so, even if they change their passwords, they will still be candidates for all the hacks elaborated on above. The best advice would be to leave the site completely, yet, because much of the personal information is still available, the people who were informed by MeetMindful that their personal information was compromised will have to be particularly skeptical of anyone contacting them. And, sadly, the same goes to anyone who may be a friend of one of these victims. In fact, it would be a good idea if victims told all of their contacts, friends, and business associates that they were caught up in this hack, and that they should be especially cautious. Of course, very few will do this because they mistakenly assume that they are the only potential victims.