'Beautiful People' Data Dump Exposes Users of Elite Dating Website
Company says all impacted users have been notified.
-- The private information of members of the exclusive BeautifulPeople.com dating website has apparently been sitting on the dark web for months, after a breach of the company's servers.
Security researcher Chris Vickery initially discovered the vulnerability in December and notified the operators of BeautifulPeople.com. However, it appears it may have been too late. Data for 1.1 million users purporting to be from the website has been leaked online, according to the website HaveIBeenPwned, which allows concerned people to check if their information has been exposed after many high profile hacks.
"The privacy and security of our members is of paramount importance to us and this matter is being investigated," a company representative told ABC News in an email statement.
Here's a look at the breach:
How Does the Site Work?
Gaining membership to BeautifulPeople.com requires users to submit photographs, which are then rated by members for 48 hours. After that time, if they have enough votes, they will be offered membership on the dating website.
"Browse beautiful profiles of men and women without sifting through all the riff raff," the site promises.
Who's Affected
The breach applies to members who joined prior to the middle of July 2015, the BeautifulPeople.com representative added in the email statement. Members were notified after the vulnerability was initially reported by security researchers in December, the email continued, and are currently being notified again.
"No more recent user data or any data relating to users who joined from mid July 2015 onward is affected," the company's statement said.
What's Leaked
The leak does not include credit card information or passwords, which are encrypted, the e-mail statement continued. While that may be good news for many members, Forbes, reports the data leak includes everything from a user's weight, height and other physical attributes to their job, email address and phone number.
How the Breach Happened
"On December 24, 2015 we were notified by two independent researchers of a security weakness in one of our MongoDB staging servers that created the potential for it to be breached," the company's statement said. "These researchers reported that they had, in fact, been able to breach our MongoDB server and retrieve data. We immediately shut down the affected server and asked the two researchers to destroy the data in their possession. At the same time, all of the affected users were informed of the breach by email. As far as we were aware, at that time, only the two security researchers who informed us of the breach had access to this data."