Exposed: Instagram, OKCupid, Mumsnet All Face Data Concerns

It has once again been busy on the data privacy/exposure front as the week kicks off, with Instagram, dating site OKCupid and the UK’s powerhouse discussion site, Mumsnet, all making recent news. A report on GDPR breach notifications rounds out the latest.

First up, Instagram users are apparently the target for attackers that created a shadow database of “Grammer” details. Researcher Oliver Hough took to Twitter to warn of the existence of database, which is wide-open to the web. He noted that there are more than 14.5 million entries gathered through October, with information scraped from user profiles, including telephone and address data for business accounts.

While the information is available on public profiles, having it all collated in one place makes like easier for criminals looking to mount a phishing campaign, for instance. And it creates a second location for user data that users themselves have no control over.

“Why is this a concern? Well it creates a shadow database of Instagram users, except this database is wide open to the Internet,” he tweeted. “So what we have here is a shadow db that probably doesn’t respect if you remove your info from Instagram.”

> someone is indexing @instagram users
>
> lots of them: 14,526,602 entries
>
> The interesting part is the entries have empty fields for home address and telephone number. pic.twitter.com/QX0f3tPYjh
>
> — Oliver Hough ❄ (@olihough86) February 8, 2019

Meanwhile, dating site OKCupid has denied a data breach after reports surfaced of users complaining that their accounts were hacked.

Users told TechCrunch that attackers had logged into their accounts and then changed the email addresses and passwords on file, thus locking them out of the accounts and making it nearly impossible to regain control of them. Others took to Twitter to complain:

> @okcupid My account was just hacked about 20 minutes ago and passed/email changed, trying to find a contact email but been unable to. Any help?
>
> — Kieron Scott (@RyanCavendell) February 4, 2019

While password reuse and using easy-to-guess passwords often make cracking accounts like these fairly easy using credential-stuffing/brute-forcing, several users said they were using strong credentials, unique to the site. That would imply some kind of data breach or exposure by OKCupid – but that’s a conclusion that it says is unwarranted.

“There has been no security breach at OkCupid,” Natalie Sawyer, a spokesperson for OkCupid, said in a media statement to the outlet. “All websites constantly experience account takeover attempts. There has been no increase in account takeovers on OkCupid.”

We reached out to OKCupid for further comment and will update this post with any response.

Since the European Union’s General Data Protection Regulation (GDPR) came into effect in May last year, EU organizations have reported almost 60,000 data breaches, but so far fewer than 100 fines have been issued by regulators.

On the international front, the European Commission said that it received 41,502 data breach notifications between May 25, 2018, when the General Data Protection Regulation (GDPR) went into effect, and Jan. 28. The statistics cover 21 of the 28 EU member states; an analysis by law firm DLA Piper’s meanwhile counted 59,430 disclosed data breaches across Europe over the same period. Most of the notifications were in the Netherlands (15,400 disclosures), Germany (12,600) and the United Kingdom (10,600). DLA Piper also said that fewer than 100 fines have been doled out so far.

Speaking of the UK, online parenting discussion forum Mumsnet has announced a data breach arising from a software snafu.

The site, which is an entrenched fixture for parents in the UK with 4.3 million unique users per month, announced that users that logged into their accounts between 2 p.m. on Feb. 5 and 9 a.m. on Feb. 7 could have had their account information switched with other users logging in at the same time. That means a user would be able to log in and view the details of another user’s account, exposing email addresses, posting history and personal messages – but no passwords, according to Mumsnet.

“We believe that a software change, as part of moving our services to the cloud, that was put in place on Tuesday pm was the cause of this issue,” according to the notice. “We reversed that change this morning. Since then there have been no further incidents.”

Users logged into around 4,000 accounts during the affected time frame, though how many were actually compromised is not yet known.

Interested in learning more about data breach trends? Watch the free, on-demand Threatpost webinar, as editor Tom Spring examines the data breach epidemic with the help of noted breach hunter and cybersecurity expertChris Vickery. Vickery shares how companies can identify their own insecure data, remediate against a data breach and offers tips on protecting data against future attacks.