A security researcher claims to have discovered an open database with over 1.5 million records of users of New Zealand dating and infidelity websites, echoing the Ashley Madison scandal last year.
Utility and security software vendor Kromtech said the company's security team had discovered an open database connected to the internet, containing sensitive personal information from dating sites.
Security researcher Bob Diachenko confirmed to the Herald the database was from a New Zealand company, C & Z Investment Group, that operates the dating and casual encounters websites haveanaffair.co.nz, haveanaffair.mobi, haveafling.mobi, haveafling.co.nz, and hookupdating.mobi.
C & Z confirmed the leak to MacKeeper - and separately to the Herald - but insisted that the information in the database was only test data, something Diachenko disputes.
"We do have a full copy of the database, and yes, we believe that the records in there are real ones. An account-by-account analysis of a random selection of more than 300 records suggested that this was live user data," Diachenko said.
According to MacKeeper, the exposed MongoDB database instance contains more than 1.5 million user records. It was found through an automated internet scan, and Diachenko believes it was publicly exposed for one day.
A sample of 5,000 records sent to the Herald included usernames, email addresses and passwords that were in plain text, without encryption.
Sensitive personal information such as date of birth, people's height, weight, body type, sexual orientation, countries and internet protocol addresses. Some records contained references to user photos, stored as separate files outside the leaked database.
Diachenko said his security team had contacted people in the database to verify the records.
"We actually reached out to several users from the list and received shocked responses from them, so yeah - a close to zero reasons to believe that those data is dummy," Diachenko said.
MacKeeper still has a copy of the database and has notified the Auckland company of the data breach, the company said.
The dating sites are run by Auckland-based C & Z Investment Group Limited, whose directors are listed as Yong Chen and Xiaotong Zhou.
An engineer with C & Z, Anton Budner, acknowledged the data leak, but said "it was not a data breach as such, as there were no malicious attacks against our servers."
Budner said that the MongoDB instance that was leaked isn't the production system database, but "mostly consist of randomly generated dummy data for performance testing."
"We do not even have 1.5 million users yet, in fact we've just passed the one million users milestone, which consist mainly of American users signed up via our Hook Up Dating iPhone app," Budner said.
MacKeeper somehow discovered the leaked test database after it was put on one of C & Z's private servers for a few hours.
"We secured the server immediately after that, and have tightened security across all our systems," he added.
Most users of the dating sites have had their passwords changed. Those who haven't yet done so, will be forced to changed passwords when they next log in, Budner said.
He added that users of the dating sites have been informed of the incident.
"There was only a small portion of real user data in that instance, and with regards to our New Zealand users, it was even a smaller number of users that were affected, they've been informed and their passwords have all been changed," Budner said.
A spokesperson for the Office of the Privacy Commissioner said the agency had not been notified of the possible breach.
Data breach notifications are currently voluntary, the OPC said, something that is likely to change next year and become mandatory, the spokesperson said.
When data breaches occur currently, the OPC refers organisations to its online Data Safety Toolkit for advice.