A dating and social networking platform focused on military members has left its database exposed, putting in danger more than 1.1 million records – including biometric data.
The unprotected database, belonging to Forces Penpals, was not password-protected nor encrypted and contained sensitive personally identifiable information (PII) of members of the U.S. and UK armed forces.
Forces Penpals describes itself as a site that allows users to support, chat, or date Army, Navy and Air Force personnel and veterans. Owned by Conduitor Limited, it was developed in 2002 as a way to boost the morale of armed forces sent to Iraq and Afghanistan, allowing civilians to write to members of the military. The site claims to have over 290,000 military and civilian users.
The unprotected data was found by cybersecurity researcher Jeremiah Fowler.
“Hypothetically, these documents could contain enough personal information to be a potential identity theft risk, allowing malicious actors to impersonate individuals for fraudulent activities or possible financial crimes,” Fowler writes for VPNMentor.
The exposed data could also potentially have national security implications. Earlier this month, Microsoft and U.S. authorities announced they uncovered that a hacking group tied to Russian intelligence has attempted to phish email accounts of former military and intelligence officials, Western think tank members and journalists.
Aside from user images, the database contained photos of potentially sensitive proof of service documents, which listed rank, branch of the service, dates, locations, and other information that should not be publicly accessible, according to Fowler. The database also had full names, mailing addresses, U.S. Social Security numbers, UK National Insurance Numbers and Service Numbers.
For now, it is unclear whether anyone else has gained access to the database. It is also uncertain whether the exposed data came from Forces Penpal’s dating app or its website and forum. The company says that the incident was due to a coding error and while the photos were public, the documents should not have been.
Serious data breaches have continued throughout 2024, including the massive National Public Data hack which exposed nearly 3 billion records containing personally identifiable information of U.S., Canadian and British citizens. At least four class action lawsuits have been filed against the Florida-based data broker.
Article Topics
access control | biometric data | data privacy | data protection
