Valentine’s Day is fast approaching and for many people that means one thing: going to the app store of their choice and downloading a dating app. Even with restrictions from the COVID-19 pandemic, dating apps such as Tinder, Hinge, Grindr, and Bumble have thrived as people are often forced to stay indoors and isolated, eschewing traditional ways of meeting.

It’s great that people have continued to connect and find love despite the various lockdowns, but the success of dating apps raises a few eyebrows for the cybersecurity nerds out there. Research has shown that people feel free to share more sensitive information on their dating apps than compared to other social media profiles. Dating app profiles can push individuals to overshare bits of their lives that they would otherwise keep offline. Additionally, information is shared by default when accepting the terms and conditions of your dating app of choice. Depending on the apps being used, shared data may often include sexual orientation, gender, location data, religion, and political affiliations. 

Now think of the consequences of having such data out in the open and for the wrong hands to grab. Given the wealth of data shared with these platforms, the risks connected to this practice for users are many. But don’t give up on cupid! This blog will make you aware of the three main threats linked to dating app security and ways to date (online) in a secure manner.

Exploiting Exposed Profile Information

Data breaches involving dating platforms are highly sought after in the cybercrime space for the customer PII they hold. The last few years have already demonstrated the profound impact of data breaches on affected organizations and individuals. It’s impossible to forget the extramarital dating service Ashley Madison data leakage of 2015 where cybercriminals managed to steal and release the private details of more than 32 million users, including names, physical address, sexual preferences, and credit card data on the dark web. 

The Ashley Madison leak is probably the most prominent one in the dating technology field. Still, reality has offered many more examples of how these apps may not be the safest technology. In a more recent example, researchers showed that dating app Bumble left personal data of more than 100 million users up for grabs due to a software vulnerability in their API. 

Although no user data was compromised (according to a statement from Bumble), the vulnerable data included highly sensitive information about its users, such as personal photos, location data, political affiliation, astrological signs, and even height and weight. This information could be easily weaponized by ill-intentioned actors to commit fraud, create profiles, or potentially demand ransom payments from users.

That’s why a quick trip into cybercriminal forums and marketplaces highlighted the presence of several listings about dating services. General chat on these platforms’ English language sections mainly consisted of requests or listings of databases following breaches of dating services or emailing lists. For example, Digital Shadows (now ReliaQuest) identified several instances of cybercriminals selling databases full of personal information that you can see below:

Cybercriminal forum user advertising database of unnamed dating entity with 43,000 records for 500 USD
Cybercriminal forum user advertising database of unnamed dating entity with 43,000 records for 500 USD
Cybercriminal forum user sharing a 2016 dating website database with 400,000 records for free
Cybercriminal forum user sharing a 2016 dating website database with 400,000 records for free

As with all online accounts, you should be concerned with account security. We recommend using a strong password and multi-factor authentication (MFA) for your login. Account takeover has never been easier or cheaper and leads cybercriminals to collect many stolen accounts for nefarious purposes. For more reading on the market for stolen accounts, see our research,  From Exposure to Takeover: The 15 billion stolen credentials allowing account takeover.

Weaponizing Vulnerable Data in Social Engineering Campaigns

Second, getting access to personal, sensitive user information can support cybercriminals in orchestrating highly targeted social engineering campaigns. For example, if a malicious actor was interested in sending you a phishing message or email to convince you to download and execute a suspicious file, building trust and rapport on a dating app chat (and later through SMS-based text messages) could seriously increase their chances of a successful attempt.

Cybercriminal forum user seeking credentials from botnet logs for paid accounts on top US dating sites
Cybercriminal forum user seeking credentials from botnet logs for paid accounts on top US dating sites

To offer a practical example, let’s imagine for a second that I have created my dating profile and claim that I’m an animal enthusiast and I volunteer in a local dog rescue center. While these are totally legitimate interests and may help me get a compatible partner on these apps, it’s good to keep in mind that cybercriminals may exploit this information against me.

How would they do that? Maybe by sending me a targeted message claiming that they found an abandoned puppy and to click on the link to go rescue it. The temptation could be irresistible and if the email is crafted well enough, I might fall for it and click on that malicious link. Cybercriminals are well aware of cognitive biases in the human mind and are not ashamed of leveraging them to see their campaigns successful.

Creating Bots to Commit Scams, Frauds, and More

Estimates say that bots contribute to half of web traffic—and dating apps are no exception. Bots ravage these platforms with fake profiles that allow scammers to reach thousands of people in a relatively short amount of time.

A not-so-successful scamming attempt through a dating app
A not-so-successful scamming attempt through a dating app (source: Reddit)

Scammers using these bots will likely ask at some point to move the chat outside the dating app, conveniently providing an external link. Avoiding clicking on these links and reporting the suspicious user is always the right thing to do and can save you lots of pain and time in the long run.

Additionally, as most dating services require you to pay a fee to subscribe to premium services, the platform will also have access to your credit card details If exposed, these credit card details can be sold on an online carding shop and used for fraudulent purposes, money laundering and identity theft. As such, avoid as much as you can sharing those details with any platform as its repercussions can be long and enduring. Use a virtual credit card for online payments and pat yourself on the back for practicing good security.

How to Stay Secure While Dating Online

I am well aware that cybersecurity best practices aren’t the first thought that pops in people’s minds when deciding how to behave on dating sites. However, the two things can go hand in hand, and applying some necessary measures can really go a long way in preventing bad things from happening.

The usual cyber hygiene best practices will always apply, but here are a few additional tips:

Personal Data:

  • Keep track of what personal information you share online. Remember that your digital life is mostly permanent and the information you make public can be potentially used against you.
  • Avoid sharing your full name or place of work in your profile. With just this info and a first name, Kaspersky researchers were able to match a dating app profile to a LinkedIn or Facebook account 60% of the time.
  • Be aware of the permissions requested by dating apps, and the data they’re collecting on you (US and EU citizens can additionally request a copy of the data collected on them).
  • Avoid linking your social media accounts to the dating app, if you have a very public account that you want to link, remember to check whether you’re inadvertently exposed anything you don’t want to make public Remember if you have a Facebook account linked and Facebook experiences a dating app breach, your dating app data may also be exposed as well.
  • Set up a Voice over IP (VoIP) number just for dating, keep your personal cell separate and get a free number that links to your phone.
  • Use a virtual credit card if you choose to pay for premium services. Virtual credit cards are disposable versions of your credit card and cannot be leveraged by cybercriminals for committing fraud.

Phishing, Scams, and Fraud:

  • Use a reverse image search service (Google, Yandex, and more) to spot if the person you’re talking to might have been already flagged as a scammer.
  • Be wary of links and attachment sent to you, whether over app chat or text messages, you can use a tool such as CheckShortURL to expand and investigate the link before opening
  • If someone asks you to send them money immediately online, there’s a good chance it is a scam, and you should say no

Checking these boxes can go a long way in preventing bad experiences online. Being aware of the potential threats out there will only make the time spent on dating apps more safe and secure for everyone.