Data ends up on the Dark Web thanks to insecure MongoDB test server that was left open with no admin password

Apr 25, 2016 17:52 GMT  ·  By

The details of over 1.1 million people who registered on the BeautifulPeople.com dating website are being traded on the Dark Web.

Today, Troy Hunt, operator of the HaveIBeenPwned.com website, has announced on Twitter that he had just added the details of those users to his site. People who registered on BeautifulPeople.com can go to the Hunt's service and search for their email address and see if their details are included in the leak.

Insecure MongoDB setups strike again!

Thomas Fox-Brewster, Forbes staff writer, claims that he had known about the data breach since December 2015, when MacKeeper security researcher Chris Vickery told him about an unprotected database.

The two contacted BeautifulPeople, who told them the database they had discovered was only a test server and that no actual user information was exposed.

The company took down the server, another instance of a no-password, Internet-accessible MongoDB database, and the story never reached the light of day.

BeautifulPeople's explanation doesn't hold water

But as Hunt has explained today, it appears that someone also discovered the database, downloaded its content, and put it up for sale on underground data trading forums. A mysterious benefactor donated the data to Hunt, who, together with the Forbes reporter, verified its validity.

The two say the database includes names, email addresses, encrypted passwords, geo-location information, and over 100 other individual data attributes such as sexual preferences, drinking habits, hobbies, favorite movies, and other types of information you'd expect to find on such sites.

Vickery also adds that the version of the BeautifulPeople database he saw also included over 15 million of private messages.

The BeautifulPeople is infamous online because, for many years, it advertised itself as a dating and meeting website for "beautiful people" only. All users had to go through a manual approval process where other site users would vote if they were attractive enough to join the site.

In 2009, BeautifulPeople operators were bragging about rejecting 1.8 million from their site. Also, as people aged, lost hair, or gained weight, the website's staff also regularly removed members deemed not beautiful enough.