May 19, 2016

Use OKCupid? Change your password

News Security

I think we can all agree that dating is (was in the case of married folks) hard. Opening yourself up to someone else just leaves you vulnerable. In today’s connected world, it can be seen as somewhat easier with sites like OKCupid where you can meet someone online free of the embarrassment of face-to-face rejection.

Use OKCupid? Change your password

To help find ideal matches, OKCupid asks users personality questions to help match like-minded people. Do you like the taste of beer? Is jealousy healthy in a relationship? Is smoking disgusting? As we said, logical.

There is also an open-ended section where users can be more honest and open about themselves. Since these users are looking for the One, this section can really help tell potential matches what they are really like — without speaking. So this area is often open and honest because it could give them the chance to find their Prince Charming packed with what users consider really important — and that’s probably some really sensitive data for them.

Use OKCupid? Change your password

All this personal info should be kept confidential right? Well that all depends on who you ask.

According to Danish researchers, this treasure trove of personal data is open and should be mined. The team scraped data between November 2014 and March of 2015 and published a paper on the study. They even shared the non-anonymized data of 70,000 users for free onto the Open Science Framework. The dump did not give real names, but did share username, location, along with some truly personal information like sexual habits, politics and sexual preferences.

Scott Weingart, a digital humanities specialist at Carnegie Mellon estimated he could accurately connect user info of ~90% of the users to real people. The fact that this data can identify people is something that could have real-world implications for users who may be hiding their sexuality, are cheating on their spouses or have a fetish that could be seen as inappropriate or shameful in some cultures.

Use OKCupid? Change your password

Social computing researcher Oliver Keys added the following on his blog: “Having now spent some time exploring the data, and reading both public statements on the work and the associated paper: this is without a doubt one of the most grossly unprofessional, unethical and reprehensible data releases I have ever seen.”

We talk about hacks often on this blog — but this study was done by researchers who are supposed to have ethics. This is a data breach willingly done because of someone’s want to share with the world. An OKCupid spokesperson told Vox that they are exploring legal options.

If you are an OKCupid user, it would be a smart idea to change your password, just in case you wound up in this “research” project. The ‘research’ has by now been taken down, but there might be some copies on other sites that survived. So you can also try to search for these copies and see your name in there.

This is not the first time that an online dating site has faced users being exposed by data being stolen via hackers or leaked online. Recently Ashley Madison, Beautiful People Only and Adult Friend Finder have all had user data stolen and shared on the web. According to David Emm of Kaspersky Lab’s GReAT, “once this type of information has been made public, criminals can use it to help with identity theft or more. Unfortunately, once a breach of this nature has been made, there is not much that can be done.”

Last week was not just bad for online daters — identifiable data from a hardcore fetish web forum was also hacked. The breach had 100,000 accounts exposed. The data included email addresses, usernames, IP addresses and passwords.

Similar to dark secrets of dating site users, this forum reveals some sexual preferences that these users probably wanted to keep secret.

Staying anonymous on the Web becomes more difficult every day. We need to be careful about what we share, who we share it with and really decide if this should be stored online. To increase anonymity, users wanting to stay off the grid should use disposable emails that are unidentifiable, look into TOR and/or use ad blockers.