The credentials of 3.5 million users of MobiFriends, a popular dating app, have surfaced on a prominent deep web hacking forum, according to researchers.
MobiFriends is an online service and Android app designed to help users worldwide meet new people online. The Barcelona-based developer of MobiFriends, MobiFriends Solutions, has not commented on the leak. Researchers say the leaked data include dates of birth, genders, website activity, mobile numbers, usernames, email addresses and MD5 hashed passwords.
Roy Bass, senior dark web analyst at Risk Based Security (RBS), told Threatpost the posting came from a reliable source. Bass said that researchers verified the data against the MobiFriends official website (researchers also provided Threatpost with redacted screenshots of the shared credentials).
The compromised credentials were originally posted for sale on an underground forum on Jan. 12 by a threat actor named “DonJuji,” according to a RBS post on Thursday. The threat actor attributed them to a January 2019 breach event. The credentials were later shared for free however on April 12 by a different threat actor on the same forum, researchers said.
Bass told Threatpost that at this time there’s no indication how the data was obtained.
Researchers warn the data includes professional email addresses associated with well-known entities, including American International Group (AIG), Experian, Walmart, Virgin Media and a number of other Fortune 1000 companies. The MD5 hashed passwords of users were also leaked, they said. The MD5 encryption algorithm is known to be less robust than other modern alternatives – potentially allowing the encrypted passwords to be decrypted into plaintext.
In total, researchers found the dataset included 3,688,060 credentials (after removing duplicates, they were left with 3,513,073 unique credentials).
In addition to account hacks, the compromised data leak opens victims up to business email compromise (BEC) attacks as well as spear phishing campaigns, Bass told Threatpost.
“It leaves certain users open to spear-phishing or targeted extortion, as we saw a number of professional email addresses in the data,” said Bass via email. “Furthermore, the exposure of user credentials allows threat actors to check them against other websites in a brute-force fashion. If the credentials have been re-used, the threat actors may be able to gain access to more valuable accounts i.e. banking accounts, social media accounts, etc. ”
Bass told Threatpost that because the leak included other sensitive information, such as date of birth or phone number, “it is possible for threat actors to use this data in conjunction with other data breaches to have a wide range of compromised data on an individual. If enough valuable information is compiled it could be sold and/or later used for identity theft, extortion, and other malicious campaigns,” he said.
Neither RBS nor Threatpost has heard back from MobiFriends regarding the compromised data despite multiple attempts at contact.
Leaked credentials continue to be a top threat for companies. With more companies working from home, for instance, cybercriminals have been trading Zoom credentials on underground forums. And in January, a hacker published a list of credentials for more than 515,000 servers, home routers and other Internet of Things (IoT) devices online on a popular hacking forum in what was touted as the biggest leak of Telnet passwords to date.
Inbox security is your best defense against today’s fastest growing security threat – phishing and Business Email Compromise attacks. On May 13 at 2 p.m. ET, join Valimail security experts and Threatpost for a FREE webinar, 5 Proven Strategies to Prevent Email Compromise. Get exclusive insights and advanced takeaways on how to lockdown your inbox to fend off the latest phishing and BEC assaults. Please register here for this sponsored webinar.
Also, don’t miss our latest on-demand webinar from DivvyCloud and Threatpost, A Practical Guide to Securing the Cloud in the Face of Crisis, with critical, advanced takeaways on how to avoid cloud disruption and chaos.