Vanity dating site BeautifulPeople popped

Sysadmins: check your MongoDB defaults or you WILL suffer

A December breach dismissed as minor at the time has turned ugly for dating-for-narcissists site BeautifulPeople.

Security researcher and architect of HaveIBeenPwned, Troy Hunt, has told Forbes 'net scum are now offering data from a million BP users for sale.

The site, which once, inexplicably and unforgivably, judged that El Reg hacks don't count as beautiful, collected the usual hoard of information about its users – user ID, email address, location data, physical characteristics, jobs, sexual preferences and more, all of which is in the compromised profiles.

Researcher Chris Vickery told Forbes the information was copied from an unsecured test server running MongoDB.

MongoDB has proven problematic for sysadmins wanting security:

  • Last year, Shodan's John Matherly said a long-standing MongoDB insecure default config was spewing data left, right and centre;
  • Over the weekend, an unprotected MongoDB machine exposed 93 million Mexican voters' information;
  • Vickery's employer MacKeeper was popped the same way in December.

BeautifulPeople told Forbes passwords and financial data were not at risk and claimed to have notified all affected users.

So there's only enough information leaked to mount a halfway-decent identity theft campaign, instead. ®

Sponsored: The Joy and Pain of Buying IT - Have Your Say


Biting the hand that feeds IT © 1998–2017