User accounts for dating site Badoo are being traded in the digital underground, including email address, cracked passwords, names, and dates of birth.
Paid subscription-based breach monitoring site 'Leaked Source' uploaded the dataset on Thursday. Other sources known to Motherboard have also obtained the data.
"With over 313m users, Badoo is great for chatting, making friends, sharing interests, and even dating!" reads Badoo's website.
Leaked Source provided three chunks of data to Motherboard, each containing 10,000 records. Out of 100 accounts tested across the three samples, 54 were linked to an active account on Badoo, while 23 indicated that an account had been created, but that the user had not completed registration by clicking the confirmation link emailed to them.
Messages sent to many of the email addresses linked to accounts on Badoo did not successfully deliver. Motherboard is yet to hear back from any of the apparent victims, and we will update this article if we receive a response.
In all, the data dump apparently contains 127,343,437 records. Motherboard was unable to confirm whether the dump was indeed this large, but another source who also obtained the data reported a similar figure.
Passwords in the samples provided to Motherboard were hashed with MD5, a hashing algorithm that has long been trivial for hackers to crack. According to Leaked Source, nearly 50,000 of the passwords in the datadump were "badoo". No one Motherboard spoke to who was in possession of the dump knew exactly when the data was hacked.
For its part, Badoo denied being the source of the stolen accounts.
"Badoo takes privacy and security extremely seriously. Badoo has not been hacked and our user records/accounts are secure. We monitor our security constantly, and take extreme measures to protect our user base. We were made aware of an alleged data breach, which upon a thorough investigation into our system, we can confirm did not take place," Badoo spokesperson Joelle Hadfield told Motherboard in an email.
That statement is near identical to another issued recently. In May, hackers claimed to have obtained over 50 million records from another dating site called Zoosk. As Motherboard and tech news site ZDNet found, that data was, however, likely not sourced from Zoosk. ZDNet approached Badoo when many of the supposed 'Zoosk' email addresses had the domain "@mobile.badoo.com."
Curiously, 28,685,533 unique email addresses in the 'Zoosk' data also appeared in the Badoo data dump, according to Leaked Source. The exact connection between the two datasets is not clear at this stage, nor if they overlap in any other ways.
Regardless, details on Badoo users are being actively traded, and perhaps more than was previously known.
The lesson: As we've seen over the past week, sometimes data breaches take years to come to light. Users can't rely on waiting for a hack to go public, or for a company to acknowledge it. With that in mind, users should be thinking proactively, and taking steps to protect all their online accounts, even if one site they use does happen to be breached. One way of doing that is with a password manager, which generates strong, unique passwords and stores them either locally or online. That way, when one site is attacked, any details leaked won't necessarily allow hackers to access any other accounts.
Read previous installments of Another Day, Another Hack here.