Good news for love-seekers this Valentine’s Day. In a bit of odd timing, users of the dating app Coffee Meets Bagel woke up this morning to find an email in their inboxes warning that their account information had been stolen by a third-party who gained unauthorized access to the company’s systems.
The email keeps most details about the situation vague, saying only that some data from users’ accounts “may” have been acquired by a third-party who gained access to a partial list of user details. It doesn’t say how that breach occurred, or how many users were affected.
This breach was discovered as part of a larger data dump of some 617 million account details, which recently went up for sale on the dark web. According to the seller, the stolen account databases came from a number of sites, including also Dubsmash, MyFitnessPal, MyHeritage, Whitepages, Animoto, HauteLook, 500px, and several others.
The Coffee Meets Bagel breach reportedly included 673MB of data taken in late 2017 and mid-2018. Earlier reports indicated that it could include a name, email, age, registration data and gender.
According to the Coffee Meets Bagel email sent out to users overnight, however, the affected information only included names and emails prior to May 2018.
The company also reminded users that it never stores any financial information or passwords, which means the impact of this particular breach is relatively minor. (In fact the most newsworthy thing about it could be why the company chose to disclose the breach today of all days!)
Coffee Meets Bagel says it’s now taking several steps to better protect its community going forward, including the hiring of forensic security experts to audit its systems and infrastructure, and its vendor and external systems. In addition, the company notes it’s still monitoring for suspicious activity and engaged with law enforcement about the incident. And it’s working to enhance its systems to better detect and prevent unauthorized access in the future.
Users were reminded to be extra precautious about any unsolicited communications that ask for personal data or direct you to a web page where personal data is collected. But user passwords were not being proactively reset, according to this notice.
Coffee Meets Bagel isn’t the only dating app under attack as of late. This week, TechCrunch’s Zack Whittaker reported that many users were complaining their OKCupid accounts had been hacked, as well.
However, OKCupid denied a security breach had taken place. That means those account takeovers could be the result of hackers using login information they discovered by way of some other breach – that is, users had re-used the same email/password combination when signing up for OKCupid as had been leaked through another attack on another site.
We’ve asked Coffee Meets Bagel if it would disclose how many accounts were impacted and other details. We’re told that approximately 6 million users were impacted.
A spokesperson also offered the following comment:
“With online dating, people need to feel safe. If they don’t feel safe, they won’t share themselves authentically or make meaningful connections. We take that responsibility seriously, so we informed our community as soon as possible—regardless of what calendar date it fell on—about what happened and what we are doing about it.”
Coffee Meets Bagel is one of the smaller dating apps with nearly 7 million installs as of December, according to data from Sensor Tower. But its popularity is still growing. The company to date has grossed over $25 million by the end of last year, with users spending $900,000 in the app in November 2018, up 30 percent over the year prior.
The startup has raised just under $20 million and has been more recently trying to position itself as an “anti-Tinder” by focusing on richer profiles that emphasis the text, not just the photos, and changes to how conversations work.
The full email from Coffee Meets Bagel is below:
We recently discovered that some data from your Coffee Meets Bagel account may have been acquired by an unauthorized party. We would like to make sure you have the facts about what happened, what information was involved, and the steps we are taking to help protect you.
On February 11, 2019, we learned that an unauthorized party gained access to a partial list of user details. Once we became aware, we quickly took steps to determine the nature and scope of the problem.
What information was involved?
The affected information only includes your name and email address prior to May 2018. As a reminder, we never store any financial information or passwords.
What are we doing
We have taken steps to protect our community, including the following:
• We have engaged forensic security experts to conduct a review of our systems and infrastructure.
• Vendor and external systems are being audited and reviewed to ensure there are no compliance issues or third party breaches.
• We continue to monitor for suspicious activity and we are coordinating with law enforcement authorities regarding this incident.
• We continue to make enhancements to our systems to detect and prevent unauthorized access to user information.
What you can do
As always, we recommend you take extra caution against any unsolicited communications that ask you for personal data or refer you to a web page asking for personal data. We also recommend avoiding clicking on links or downloading attachments from suspicious emails.
The security of your information is important to us, and we apologize for any inconvenience this may have caused you. As always, if you have any questions or need any additional information, please do not hesitate to contact us at firstname.lastname@example.org
Update, 2/14/19, 2:25 PM ET – Spokesperson confirmed 6M accounts affected; post was updated to include this number.