If military servicemembers didn't already have enough to worry about today, a cybersecurity researcher discovered a publicly exposed database on a popular dating app that lacked expected password protections and wasn't encrypted. As a result, the personal data of nearly 1.2 million U.S. and UK military personnel who used the Forces Penpals, a dating service and social networking platform, could have been accessed by hackers, Jeremiah Fowler of vpnMentor warned this week.
It is unclear how long the database was exposed or even if any unauthorized parties had access to the information. After discovering the issue, Fowler notified Forces Penpals, which has since restricted public access.
Founded in 2002 as a letter-writing service for the British military, the platform is now used by service members in the UK and U.S. -- but its database is filled with personal information about military personnel. According to Fowler, the data he encountered in his research included user images and sensitive proof of service documents with names, addresses, SSNs, and UK National Insurance Numbers
"Unfortunately, some of those documents contain highly sensitive personal information," Fowler said in an email. "When we think of something like a social media network or dating service, we rarely think this type of information would be used. It raises the larger question. If the United States or the UK ever enact a verification system for members, could we be looking at the same type of risks if that data is ever exposed or accessed by unauthorized individuals?"
As mentioned in Fowler's report, most of the documents were images of users; however, a portion of those images were also of highly sensitive military records.
"From a technical standpoint, there's no way to filter through and search text on images to determine the exact number," Fowler added.
Forces Penpals did not respond to a request for comment.
Forces Penpals isn't the first social media platform or dating app to have its sensitive information compromised, but this one may be especially concerning as it involves military personnel. Service members may want to alert their commanding officers if they have concerns, and it may be necessary to bring this incident up during a security clearance review.
"It's never good when information is leaked in a breach, however, this information can be especially problematic when it involves service members or other sensitive government employees. In this case, it is not just the potential loss of the individual's information that is concerning, but also the possibility that this information could be used to track troop movements or other potentially sensitive military operations," warned Erich Kron, security awareness advocate at KnowBe4.
"The data was reportedly not encrypted or password-protected," added Paul Bischoff, consumer privacy advocate at Comparitech. "There is no excuse for that, and Forces Penpals should be held responsible for any resulting fraud. I hope it will at minimum offer victims free credit monitoring and identity theft protection, which is the status quo when you leak someone's Social Security number."
One concern is that photos of individuals could be used with AI tools to search for possible matches to other photos on the Internet, to create deepfakes of these individuals, or for any number of other nefarious purposes, Kron suggested.
Service members should be encouraged to watch for potential scams and other online threats.
"Our honeypot experiments show hackers can find and attack unprotected databases within a few minutes of being exposed to the internet, and such attacks are frequent," suggested Bischoff. "I fear the data will be used to perpetrate romance scams. By creating fake profiles using data stolen from real military personnel, scammers can make their ploys much more convincing. Romance scammers often pretend to be members of the military."
This incident serves as yet another reminder that the greatest threat remains from the third parties that know about us than we'd probably like.
"The issue isn't that there is too much private information being stored out there -- although there is too much personal data out there -- but that the information is not being secured properly. To have sensitive information like this not properly secured, leaving it unencrypted, should be considered a crime," said Chris Hauk, consumer privacy champion at Pixel Privacy.
"While there may not have been a breach of the system, as a white hat researcher discovered the misconfigured databases, there is still reason for users to be careful and concerned," Hauk continued. "Users of the service should stay alert for romance scams, such as catfishing, as the exposed data is basically a shopping list of what scammers look for."
This is also example of the type of carelessness that shouldn't be acceptable today.
"While it is unfortunate, in the modern cybercrime landscape we have to be aware of these types of attacks and how sensitive and personal information can be used against potential cybercrime victims," added Kron, who suggested the organizations that handle personal data need to be held accountable for its storage and protection.
"If information is needed to confirm an individual's eligibility to use the product or platform, once it is confirmed the information should be removed. Unfortunately, many organizations hold on to this data thinking that it will prove valuable in the future when it simply exposes them to additional risk in the event of a breach or potential data leakage such as this," said Kron. "For individuals signing up to use services like this, it's important to limit the information you provide, only sharing what is needed and skipping information that is optional."
The only good news for those who have been active on Forces Penpals is that their data is likely much safer now.
"The company acted fast to secure the database and as bad as an incident can be. It is also a learning experience," said Fowler. "Organizations that have a data incident are far less likely to have another one in the next few years because of the increased focus on cyber security and data protection."