Private Messages from ‘Muslim Match’ Dating Site Leaked
Social Media
A hacker grabbed a horde of credentials and profiles from the specialty dating site and posted the data online, along with more than half a million private messages between users.
In addition, technologist Thomas White, otherwise known as TheCthulhu, has released the full dataset publicly, for anyone to download.
Launched in 2000, Muslim Match is a free site aimed at people looking for companionship or marriage.
The attacker may have used a SQL-injection—an ancient but commonly effective website exploit —to obtain the data, judging by the format the files are in.
“I feel disappointed but the site didn't seem to be secure in the first place. They never used https,” Zaheer, a Muslim Match user, said in an email, referring to the protocol used for encrypting traffic, particularly website login screens.
Using information within the dataset, Motherboard was able to link private messages with specific users. By cross-referencing the different files, it was possible to find out the username of the person who sent the message, as well as their logged network address and poorly-encrypted, “MD5” password.
The data includes whether each user is a convert or not, their employment, living and marital status -- and whether they would consider polygamy.
One file also contains around 790,000 private messages sent between users, which deal with everything from religious discussion and small talk to marriage proposals.
Judging by network addresses, the victims are based all over the world, including the UK, Pakistan, and United States.
The lesson here: A site let its users down by not taking security very seriously (the lack of HTTPS stands out). Users should scrutinize a service they intend to use before registering: Does it use encryption on login screens? Is it a forum based on a vulnerable piece of software like IP.Board?