By Joseph Cox for Motherboard on June 29, 2016
Speciality dating site “Muslim Match” has been hacked. Nearly 150,000 user credentials and profiles have been posted online, as well as over half a million private messages between users.
Security researcher Troy Hunt has added the data to his breach notification site “Have I Been Pwned?” for the site’s users to check if they are affected by the hack. Meanwhile, technologist Thomas White, otherwise known as TheCthulhu, has released the full dataset publicly, for anyone to download.
Launched in 2000, Muslim Match is a free-to-use site for people looking for companionship or marriage. “Single, Divorced, Widowed, Married Muslims :: Coming together to share ideas, thoughts and find a suitable marriage partner,” the site’sFacebook profile reads.
Motherboard obtained the full dataset of just under 150,000 user accounts as well as the cache of private messages. Every email address Motherboard randomly picked from the dataset was linked to an account on Muslim Match.
Hunt pointed out that the data includes whether each user is a convert or not, their employment, living and marital status, and whether they would consider polygamy. He also noticed that some of the email addresses are marked as “potential users.” It’s not totally clear why someone might be marked as a “potential” user.
One file also contains around 790,000 private messages sent between users, which deal with everything from religious discussion and small talk to marriage proposals.
“I wanna marry you if u agree I send my photos and details [sic],” one message reads.
“You will enjoy when u speak to me,” another reads. “i am genuine and truthful and am seriously seeking a right muslimah who could be a friend, a companion to hold hands thru a journey of life and beyond.”
Some of the messages appear to be spam, having been sent in quick succession and containing the exact same content. (On its homepage, Muslim Match warns of an increase in fake users.)
The dataset also includes a number of shorter messages that appear to be from an instant messaging function.
“I feel disappointed but the site didn’t seem to be secure in the first place. They never used https.”
Using information within the dataset, Motherboard was able to link private messages with specific users. By cross-referencing the different files, it was possible to find out the username of the person who sent the message, as well as their logged IP address and poorly-hashed, MD5 password. Some of the messages also include extra information, such as Skype handles, which users have exchanged.
Judging by the IP addresses, Muslim Match’s users are based all over the world, including the UK, Pakistan, and the US.
The Muslim Match hacker may have used SQL-injection—an ancient but commonly effective web attack—to obtain the data, judging by the format the files are in.
Motherboard managed to speak to one Muslim Match user, and Hunt reached two additional users who were happy to talk.
“I feel disappointed but the site didn’t seem to be secure in the first place. They never used https,” Zaheer, a current user, told Motherboard in an email, referring to the protocol used for encrypting traffic and especially website login screens.
When asked if he had any privacy concerns, another user called Rook said he found the news “Very scary. There is so much intimate information placed on [this] website to begin with, when you are genuine about finding a perfect match.”
The administrator of Muslim Match did not respond to multiple emails and messages sent through the site, and all of the company’s listed phone numbers are disconnected. The site’s social media profiles have not been updated since June 2014.
But after being contacted by this reporter, Muslim Match went temporarily “down for maintenance” on Wednesday. Shortly after, the site was back but stated it was taking a short break for Ramadan.
The lesson: Here, a site lets its users down by not taking security very seriously (the lack of HTTPS stands out). Users should scope out a service they intend to use beforehand: Does it use encryption on login screens? Is it a forum based on a vulnerable piece of software like IP.Board? These checks could come in especially handy with services that deal with as much sensitive information as dating sites.
Another day, another hack.