Coffee Meets Bagel discloses that it was a part of the larger dump containing 620 million account credentials

• Coffee Meets Bagel revealed that a recent data breach compromised 6 million usernames and email addresses.
• The dating app confirmed that the data breach did not involve any user passwords or financial information.

Online dating app Coffee Meets Bagel (CMB) disclosed on Valentine's day (14.02.2019) that it was a part of the larger data dump containing 620 million account credentials stolen from 16 hacked websites.

The dating app revealed that a recent data breach compromised 6 million usernames and email addresses. However, CMB confirmed that the data breach did not involve any user passwords or financial information.

What happened?

CMB notified its users about the data breach via an email notification. In the email, CMB stated that it became aware of the incident of February 11, 2019, and that the data breach was due to an unauthorized party gaining illegal access to a partial list of its user details.

What data was compromised?

The compromised information included 6 million users’ names and email addresses prior to May 2018. However, the dating app confirmed that the data breach did not compromise any users’ passwords or financial information.

What actions were taken?

Upon learning the incident, CMB immediately took steps to determine the nature and the root cause for the incident.

• CMB hired forensics security experts to conduct a review and audit of its systems and infrastructure.
• It also audited its external systems to ensure that there are no compliance issues or third party breaches.
• The dating app has notified the law enforcement authorities regarding the incident.
• The company has made security enhancements to its system in order to detect suspicious activities and prevent unauthorized access.
• CMB has requested its users to exercise extra caution against emails from unknown senders that ask for personal information.
• It has further requested its users to avoid opening any attachments or clicking any links from suspicious emails.

“With online dating, people need to feel safe. If they don't feel safe, they won't share themselves authentically or make meaningful connections. We take that responsibility seriously, so we informed our community as soon as possible—regardless of what calendar date it fell on—about what happened and what we are doing about it,” Coffee Meets Bagel told BleepingComputer.

“We can confirm that approximately six million users were impacted. Beyond emails and names, no other CMB user information was compromised. This was part of a larger breach affecting 620 million accounts that got leaked across sixteen companies,” CMB added.

The compromised data could be used in Credential Stuffing attacks

Andy Norton, Director of Threat Intelligence at Lastline, opined that as the compromised data included names and email addresses, this type of information could be used for phishing campaigns and credential stuffing attacks.

“The Coffee Meets Bagel data is reportedly being sold on Dream Market, although it’s currently offline so we’ve been unable to confirm. Dream Market is a dark market that sells many illegal things, including drugs, guns and stolen digital items. Essentially, these cybercriminals are trying to sell a list. Lists of personal information are one end of a malicious funnel, and the data is often bought by spammers and operators of credential stuffing tools,” Norton told BleepingComputer.