- Cybernews found an unescured MongoDB instance belonging to Headero
- The database contained millions of records and PII
- It has since been locked down, but users should still be on their guard
Security researchers from Cybernews have reported uncovering a massive MongoDB instance belonging to a dating and hookup app called Headero.
The database contained more than 350,000 user records, more than three million chat records, and more than a million chat room records.
Among the exposed data are names, email addresses, social login IDs, JWT tokens, profile pictures, device tokens, sexual preferences, STD status, and - extra worryingly - exact GPS locations.
However, Headero's developer, a company called TheThotExperiment, says Cybernews' information is not precise:
"Our investigation—under way in cooperation with the Office of the Privacy Commissioner of Canada—has already established several verified facts," the company told TechRadar Pro in an emailed statement.
"The internal testing (non-production) database held fewer than 200,000 registered-user records, not 4 million. Logs show a single access, by the researcher you quoted, and no data were downloaded. The misconfiguration was patched within hours of the 24 March disclosure; no passwords, payment data, or government IDs were ever at risk," they said.
No evidence of abuse
When Cybernews reached out to ThotExperiment, it immediately locked the database down. The company told the researchers that it was a test database, but Cybernews’ analysis indicates that it could have been actual user data, instead.
Unfortunately, we don’t know for how long the database remained open.
Human error leading to exposed databases remains one of the most common causes of data leaks and security breaches.
Researchers are constantly scanning the internet with specialized search engines, finding massive non-password-protected databases almost daily.
These leaks can put people at risk, since cybercriminals can use the information to tailor highly convincing phishing attacks, through which they can deploy malware, steal sensitive files, and even commit wire fraud.
Headero users are advised to be extra vigilant when receiving unsolicited messages, both via email and social platforms.
They should also be careful not to download any files or click on any links in such messages, especially if the messages carry a sense of urgency with them. If they are using the same password across multiple services, they should change them, and clear sessions / revoke tokens in apps, where possible.
Edit, June 13 - Updated to add TheThotExperiment's statement
You might also like
- Top US dental firm spills over 8 million user files online
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
