Cyber Incident Victim: MobiFriends
Date:
Jan 2019
Location:
Spain
Summary
A security breach at the dating app MobiFriends compromised personal data of millions of users, including email addresses, mobile numbers, dates of birth, genders, usernames, activity details, and passwords stored with weak MD5 hashing. The stolen data, later leaked publicly, contained professional email addresses linked to major corporations, heightening risks of spear-phishing, extortion, and credential-stuffing attacks due to password reuse. The breach's origin—whether from server vulnerabilities or an exposed database—remains unclear, and the company has not publicly acknowledged the incident despite third-party verification of the data's validity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 6 motives | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In January 2019, a security breach compromised the personal data of approximately 3.68 million users of the dating application MobiFriends. The stolen information included email addresses, mobile phone numbers, dates of birth, gender details, usernames, and records of user activity within the MobiFriends platform. Passwords stored as MD5 hashes—a cryptographic function widely recognized as insecure due to its vulnerability to rapid decryption—were also exfiltrated. The breach did not involve private messages, images, or sexually explicit content. A hacker initially offered the dataset for sale on an online forum before it was leaked publicly in April 2020, resulting in widespread distribution across multiple platforms, including free download links. Risk Based Security (RBS), a cybersecurity firm, independently verified the authenticity of the leaked data by cross-referencing records with MobiFriends' official systems. The dataset contained professional email addresses linked to employees of prominent organizations such as American International Group (AIG), Experian, Walmart, and Virgin Media.
The exposure placed affected users at heightened risk of spear-phishing campaigns, extortion attempts, and credential-stuffing attacks targeting other online services where MobiFriends credentials might have been reused. The weak MD5 password hashing significantly increased the likelihood of attackers successfully recovering plaintext passwords. MobiFriends, a Barcelona-based company operational since 2005, did not publicly acknowledge the breach or respond to inquiries from ZDNet or RBS regarding the incident. The specific attack vector remained unconfirmed, with no details disclosed about whether the breach resulted from exploiting a server/API vulnerability or an unsecured database. No information about internal detection mechanisms, containment measures, or user notifications was available from the source material. The public disclosure originated solely from third-party researchers and cybercriminal forums rather than official channels.