A dating app targeted at people living with HIV, known as HZone, has been leaking the data of its almost 5,000 users via an unsecured database, security researchers claim.
The researchers from DataBreaches.net discovered the unsecured MongoDB database The personal information included date of birth, religion, relationship status, country, email address, ethnicity, height, last login IP address, username, orientation, number of children, and password hash. Users can also enter their nicknames, share their political views and sexual life experiences, and post their photo in their profile.
Premium members, who paid for services beyond that of the free app, also had their name, postal address, phone numbers, and credit card information stored within this database.
Below is a screenshot of what Databreaches.net were able to extract from HZone’s database, personal data has been redacted.
The database also contains all the posts that HZone users made on the forums such as:
“Hi. I was diagnosed 3 years ago now. CD4 and Viral Load is relatively good. I’m therefore not on Meds yet. My 6-monthly blood tests are due in June. Planning to go in meds. I’m worried about the side effects. What kinds of side effect have you experienced? Xx”
Databreaches.net alerted HZone to the data leak immediately and several times but didn’t get a response for five days, at which point the response they got “somewhat bizarre, to say the least, and replete with all kinds of accusations.”
It also seems that users are unable to delete their profiles from the HZone app if they not longer plan on using the service. This has lead to a number of negative reviews on the various app stores and marketplaces.
When Databreaches.net asked how long the databased had been unsecured, and how many people’s data had been accessed, HZone stated that “We just re-setup a new system with the server and database and the leaking may caused by that,” which is demonstrably false considering that a search engine had been anonymously accessing their database as early as 29th November.
Asked whether they’d be notifying their users of the data leak HZone said:
“No,we didn’t notify them. If you will not publish them out, nobody else would do that, right? And I believe you will not publish them out, right?”
Further to this HZone threatened the DataBreaches.net researchers and admins should they disclose the information that they’ve discovered:
“Why do you want to do this? What’s your purpose? We are just a business for HIV people. If you want money from us, I believe you will be disappointed. And, I believe your illegal and stupid behavior will be notified by our HIV users and you and your concerns will be revenged by all of us. I suppose you and your family members don’t want to get HIV from us? If you do, go ahead.”
Hzone’s spokesperson apologized for the threat, but it still took them some time to fix their flawed database. The company accused DataBreaches.net of altering data, which led to speculation that the company didn’t fully understand how to secure user information.
HZone still does not appeared to have notified users of the data leak. beyondpositive would encourage people reading this article to share it with friends, and other HIV forums, as to alert possible users of the HZone app to the breach. Whilst you seemingly cannot delete your profile you can replace all the fields (name, password etc) with nonsense as a partial attempt to protect yourself.
You can support beyondpositive’s work,
helping giving those with HIV a voice,
by donating via Paypal