On May 25th I discovered a non password protected Elastic database that was clearly associated with dating apps based on the names of the folders. The IP address is located on a US server and a majority of the users appear to be Americans based on their user IP and geolocations. I also noticed Chinese text inside the database with commands such as:
- according to Google Translate: The model update completion event has been triggered, syncing to the user.
The strange thing about this discovery was that there were multiple dating applications all storing data inside this database. Upon further investigation I was able to identify dating apps available online with the same names as those in the database. What really struck me as odd was that despite all of them using the same database, they claim to be developed by separate companies or individuals that do not seem to match up with each other. The Whois registration for one of the sites uses what appears to be a fake address and phone number. Several of the other sites are registered private and the only way to contact them is through the app (once it is installed on your device).
Finding several of the users’ real identity was easy and only took a few seconds to validate them. The dating applications logged and stored the user’s IP address, age, location, and user names. Like most people your online persona or user name is usually well crafted over time and serves as a unique cyber fingerprint. Just like a good password many people use it again and again across multiple platforms and services. This makes it extremely easy for someone to find and identify you with very little information. Nearly each unique username I checked appeared on multiple dating sites, forums, and other public places. The IP and geolocation stored in the database confirmed the location the user put in their other profiles using the same username or login ID.