1.1 Million Dating Profiles at BeautifulPeople.com Leaked and for Sale in Dark Web

425_Leak
Students attend cyberdefense class in the school in Poltsamaa, Estonia. Ints Kalnins/REUTERS

Sensitive data—from addresses, messages and sexual preferences—about more than 1.1 million profiles from BeautifulPeople.com is being shopped in illicit online markets, according to a Forbes report.

BeautifulPeople, which claims it is an “exclusively beautiful community” catering to elites, had a data breach five months ago, which the New York City-based company said was quickly patched. But according to cybersecurity expert Troy Hunt, who spoke with Forbes, millions of profiles were taken during the window of opportunity and has since been circulating in the illegal online markets.

BeautifulPeople tells Newsweek in a statement that the breach only involves data that was entered to the website prior to mid-July 2015 and that affected users had already been notified. The data breach came to their attention in December, when security professionals found a BeautifulPeople database that was left vulnerable in its servers. One of those professionals, Chris Vickery at MacKeeper, reported on the breach and contacted the website to patch the security hole.

“The privacy and security of our members is of paramount importance to us, and this matter is being investigated,” BeautifulPeople says in a statement. “All impacted members are, of course, being notified once again. The data does not contain any credit card information and user passwords are encrypted.”

“As far as we were aware, at that time, only the two security researchers who informed us of the breach had access to this data,” the statement reads. “The data said to be accessible on the 'dark web' is the same data as the two security researchers accessed and downloaded in the December 2015 breach.”

Vickery vehemently denied any role in leaking the data. “I operate above reproach and would never do such a thing,” Vickery tells Newsweek.

The compromised data reportedly includes addresses, email addresses, height, employment, education, income and locations visited. Approximately 15 million messages exchanged between users were also made public by the hack. It is unclear whether the data was sold for bitcoin or some other cryptocurrency on the dark web, according to Hunt.

Hunt says he also discovered 170 profiles from United States government employees who signed under their .gov email addresses.

Breaches on dating websites has been a popular target for hackers over the year. BeautifulPeople’s breach pales next to the 37 million profiles leaked in the Ashley Madison hack, which recently saw 42 of its victims sue the company for damages. In February, a hacker said he sold over 27 million passwords from the dating site Mate1.com.

BeautifulPeople, which was launched in the United States in 2005, has received notoriety for purging profiles which it deemed unfit for its “exclusive community.” In two different purges, the website has culled thousands of profiles because its users gained weight during Christmas season or were getting to old.

The breach began with an earlier problem on servers running MongoDB, a software database company, in November 2015, according to BeautifulPeople. The site says its data was left open on a test server on MongoDB.

Vickery recently discovered that the records of 93 million Mexican voters were leaked due to a configuration error on another MongoDB database. No password or authentications were required to see the database in full for those who knew where to look.