Rela (热拉), a popular dating app for gay and queer women, has exposed millions of user profiles and private data because a server wasn’t protected with a password.
Rela disappeared from app stores in May 2017 after it was reportedly shut down by Chinese regulators, though the government never confirmed it took action. But the app returned a year later, according to its app store listing, on a different cloud provider. LGBTQ+ rights in China remain highly limited, even though it was decriminalized in 1997. Many in the community still fight discrimination and attitudes have been slow to change.
Victor Gevers, a security researcher at the GDI Foundation, found the exposed database this week, he told TechCrunch, containing more than 5.3 million app users.
It’s believed the database had been exposed since June 2018, a month after the app returned, Gevers said.
Each record included their nicknames, dates of birth, height and weight, ethnicity and sexual preferences and interests. Records also, where users allowed, included their precise geolocation. The database also contained more than 20 million “moments,” or status updates — including private data.
“The privacy of five-plus million LGBTQ+ people face a lot of social challenges in China because there are no laws protecting them from discrimination,” said Gevers. “This data leak that has been open for years makes it even more damaging for the people involved who were exposed.”
In a brief response, a company spokesperson confirmed the database had been secured.
Gay dating apps remain big business — even for companies in China, despite the legal complexities that’s seen several major apps shut down. Zank, a popular app used mostly by gay and bisexual men, was shut down in April 2017 citing the government’s rules for broadcasting pornographic content.
Yet more established apps, like Blued, remain popular in the country.
Chinese gaming giant Kunlun bought a 60 percent stake in U.S.-based gay dating app Grindr in 2017 and later acquired the entire company, but is reportedly up for sale amid concerns that the company poses a risk to U.S. national security.
Read more:
- Data management giant Rubrik leaked a massive database of client data
- Dozens of companies leaked sensitive data thanks to misconfigured Box accounts
- At Blind, a security lapse revealed private complaints from Silicon Valley employees
- Millions of bank loan and mortgage documents have leaked online
- Popular avatar app Boomoji exposed millions of users’ contact lists and location data