This article is about a data breach

Typically corporations are not obligated to disclose information about all the data that breached, but only personal users' data.

But we understand that the company's valuable aggregated data is stored, most of the time, in the same database as users' data. If one was breached, we presume the other was as well.

You run an app that covers such a sensitive topic like threesomes and other alternative sexual activities — by the way, no judgment, we all have some wild kinks, that’s ok.

So yeah, you run this app. Of course, you write some marketing bullshit on your site, like “safe space”, “privacy”, you also lecture users to never leave the app when you find a potential partner because it’s scary outside, there are scammers and strangers out there.

And then — bam! — people find out you have no protection against spoofing, and, researchers say, no real request throttling. What do the requests return? Full user profile: sexual orientation, name, photo, real-time geolocation (yeah, apps can upload it even if the app is closed), last login date, age — well, everything.

You get your centuries-old bash and write a small script that requests the server’s data about users being in different locations. Everywhere, without any limitations. In the White House. In the CIA office. Right in the middle of orthodox or Mormon village. You gather this data and sell it to somebody. We don’t have any evidence it happened, but it would be a crime to think no one abused such a security hole.


Subscribe ASAP!

Subscribe to get these stories in your inbox from time to time. Pinky swear: I won't sell you out.

?

What you'll get?

No nudes or dickpics, I promise 🤞

I'll send you my articles and summaries of other's that I like

Is something incorrect?

You can send any corrections and additions to this article on my email, or send a PR in GitHub, if you know what it is.