It has come to light that a popular dating app, called 3fun, has been exploited to breach the credentials of users within Downing Street. 3fun connects its users so that they can arrange threesomes.
More than 1.5 million users had their real-time locations, private photos, chat data, sexual preferences, relationship status, and birth dates exposed. The breach showed members that appeared to be in Number 10 Downing Street in London. The accessible data also revealed members who were in the locations of the White House and US Supreme Court, in Washington DC.
Other dating apps such as Recon, Romeo, and Grindr, have also been highlighted for showing user’s location data. The difference, however, is that 3fun showed users exact coordinates. The other dating apps use a triangulation calculation from three different places, making the info less precise.
What exactly happened?
Penetration testing companies are labelling 3fun as having the worst security of any dating app. It is during pen tests that these companies have been able to access the user data we have mentioned.
On the mobile app, persons can stop the app by showing their precise location. However, the servers used by the app store this data, and a cybercriminal can access this using a simple query. Further demographics were accessible during pen tests, including the app having a ratio of four straight men to one straight woman
On July 8th the company released an app update to take action to tighten security weaknesses and fix the problem. If you are a 3fun member, then you should ensure that your app is up to date to protect your user information. It is highly recommended to keep all your apps up to date because these updates often include patches that tackle security weaknesses.
What is Penetration Testing?
A penetration testprotects a company by exploring possible security weaknesses. Using the latest, threats, techniques, and tools available to hackers, a pen test will show you what action you need to take, to ensure your business is safe from threats.
You should have a quarterly or annual pen test from a CREST accredited company. The company should use ethical hackers called Offensive Security Certified Professionals (OSCP). These labels show that the security company has the necessary technical expertise and will maintain the confidentiality of your data and results.
A penetration test is also a first step for companies to take to achieve General Data Protection Regulation (GDPR) compliance. It will also form the basis for compliance to ISO 27001 and Payment Card Industry Data Security Standards (PCI DSS).
How does Penetration Testing work?
Pen tests are beneficial because they use the real-life techniques of cybercriminals. Internal penetration testing assesses the threats within your infrastructure, such as your computer systems and network.
The outcome of an internal pen test is a comprehensive report that will show:
- Which confidential documents could be accessed
- What sensitive data could be obtained
- If customer information and credit card details could be accessed
- Who in your organisation can access critical data and systems
An external pen test reveals the risks of an external attack on your organisation’s systems and website. There are three types of testing available (black box, white box, and grey box), which conduct testing under several different scenarios. These tests range from the scope of someone having no knowledge of your company’s systems to an attacker who has a more detailed understanding of your systems.
Aside from your regular pen test, you should have a new pen test if:
- Your company has been acquired or merged
- There is a significant change to your infrastructure
- New products or services launch
- New customer applications are developed
- You are preparing for compliance with data security standards
Contact OmniCyber Security today to arrange a penetration test for your organisation.
