A dating app for people with HIV has suffered a major data breach exposing sensitive information regarding almost 5,000 member accounts.
Hzone, which claims to be the “No. 1 dating app for HIV singles,” has seen the personal information of its users (including date of birth, religion, sexual orientation, email address, IP address) leaked.
Hzone is pretty much a Tinder clone, built on a similar algorithm and offering identical features (including location-based matchmaking and the ability to share visual moments). Although it is a free download, it also offers a premium service that requires subscribers to provide additional details including their address, phone numbers, and credit card details.
The breach, which has now reportedly been secured, also revealed user messages containing sensitive medical information. Security research blog databreaches.net has posted one of the messages, which we feel is inappropriate to quote here.
The breach could lead to identity theft, extortion, and possibly even blackmail according to Databreaches.net. The site claims the leak began as early as November and that despite multiple warnings Hzone failed to resolve the matter until a few days ago. Email correspondence between the two parties also reveals that Hzone did not notify its users of the breach and has admitted to having a weak tech team.
Matters took a turn for the worse, getting a lot more personal for Databreaches.net, when Hzone allegedly threatened one of its admins with HIV infection if they published news about the breach.
“You get the occasional legal threats, and you get the ‘you’ll ruin my reputation and my whole life and my children will wind up on the street’ pleas, but threats of being infected with HIV? No, I’ve never seen that one before,” the admin told security news website CSO.
Despite the leak having been resolved, users are being warned not to use Hzone due to its lack of encryption for stored data and refusal to delete profiles.