You could have got full user profile with real-time geolocation of all the users
| Organization | 3fun |
|---|---|
| Location | 🌏 World |
| Tags | |
| Active From | — |
| Active Until | 08/01/2019 |
| Potential Victims | >1,500,000 |
| Source | techcrunch.com |
You run an app that covers such a sensitive topic like threesomes and other alternative sexual activities — by the way, no judgment, we all have some wild kinks, that's ok.
So yeah, you run this app. Of course, you write some marketing bullshit on your site, like "safe space", "privacy", you also lecture users to never leave the app when you find a potential partner because it's scary outside, there are scammers and strangers out there.
And then — bam! — people find out you have no protection against spoofing, and, researchers say, no real request throttling. What do the requests return? Full user profile: sexual orientation, name, photo, real-time geolocation (yeah, apps can upload it even if the app is closed), last login date, age — well, everything.
You get your centuries-old bash and write a small script that requests the server's data about users being in different locations. Everywhere, without any limitations. In the White House. In the CIA office. Right in the middle of orthodox or Mormon village. You gather this data and sell it to somebody. We don't have any evidence it happened, but it would be a crime to think no one abused such a security hole.
This is a corporate breach
Corporations are required to disclose information about data breaches, but the list of disclosed data is very limited. The database storing email addresses is likely the same one containing all other data. In this case, it's possible that much more information was leaked than reported.