A security lapse at JCrush, a dating app designed for the Jewish community, left a database open without a password, exposing sensitive user records and private messages to anyone who knew where to look.
The site’s backend database had around 200,000 user records, according to security researchers Noam Rotem and Ran Locar, who shared their findings exclusively with TechCrunch and wrote up their findings at vpnMentor.
None of the data was encrypted, the researchers told TechCrunch.
We obtained a sample of the records to verify. From what we saw, the records contained the user’s name, gender, email address, IP address and geolocation, as well as their city, state and country, date of birth, sexual preferences, religious denomination and photos they use on JCrush.
Depending on how the user signed up, the records also show the user’s Facebook ID, which points directly to their Facebook profile. It also includes the access token, which can be used to take over a JCrush user’s account without needing their password.
In some cases, the geolocation data was so accurate it was easy to identify exactly where some users lived — especially in residential neighborhoods.
The database also contained private messages — many were explicit and graphic.
Although the researchers didn’t dig into the data — mindful of the privacy implications — they found records relating to “incognito” accounts, which allow users to pay to browse the site anonymously.
The app’s founder Natasha Nova did not respond to a request for comment. An unnamed spokesperson for JCrush’s parent company, Northsight Capital, said it was “aware” of the situation and “secured the database immediately when the problem occurred.”
“There have not been any indications that the data had been accessed by malicious parties or misused in anyway,” said the company. When asked, the company did not say what evidence it had for its claim, but noted that the company plans to notify its users and authorities of the incident.
It’s the latest in a series of data exposures at dating apps, or companies that tout anonymity and privacy.
Last year, a dating app for conservative supporters — Donald Daters — admitted a database leak on its first day of operations. Only about 1,600 users had their information exposed. In May, a popular Chinese dating app for gay and queer women, Rela, which had more than five million users, left its database open and exposed.
- Rela, a Chinese lesbian dating app, exposed 5 million user profiles
- At Blind, a security lapse revealed private complaints from Silicon Valley employees
- Donald Daters, a dating app for Trump supporters, leaked its users’ data
- Security lapse exposed private Theta photos
- After breach, Stack Overflow says some user data exposed
- An unsecured SMS spam operation doxxed its owners