- Cybernews discovered an unsecured MongoDB instance linked to Headero
- The database had millions of records and personal identifiable information (PII)
- It has been secured now, but users should remain vigilant
Researchers from Cybernews reported finding a large MongoDB instance associated with a dating and hookup application called Headero.
This database included over 350,000 user records, more than three million chat messages, and over a million records for chat rooms.
The exposed information consists of names, email addresses, social media login IDs, JWT tokens, profile pictures, device tokens, sexual preferences, STD statuses, and alarmingly, precise GPS coordinates.
No signs of misuse
Cybernews contacted the developers of the app, a US firm called ThotExperiment, which promptly secured the database. The developers claimed it was a test database, but Cybernews’ investigation suggests it may contain actual user data.
Unfortunately, it’s unclear how long the database was accessible, or if any malicious actors have exploited it. So far, no signs of misuse have been detected.
Human error leading to open databases is a common issue that causes data leaks and security breaches.
Researchers continuously scan the web using specialized search engines, finding massive unsecured databases almost daily.
These data leaks can endanger individuals, as cybercriminals might exploit the information to craft convincing phishing schemes that can lead to malware installation, sensitive file theft, or even wire fraud.
Headero users are encouraged to be cautious about receiving unsolicited messages, whether by email or via social networks.
They should avoid downloading attachments or clicking on links in such messages, especially if they appear urgent. Users should also change passwords if they are reused across different platforms and ensure to clear sessions or revoke tokens in applications where applicable.
