Updated Lonely hearts on the dating website Guardian Soulmates have been targeted with sexually explicit spam emails after trolls abused leaked contact information.
Guardian News & Media, which runs the site, blamed a third-party tech supplier for the issue, which has since being resolved, the BBC reports. Only email addresses and user IDs were directly exposed, a spokesman for the site told the BBC. This login info offered a possible mechanism for miscreants to harvest further information from users’ profiles.
The issue came to light after users received offensive messages to email addresses they only used with the service.
Jes Breslaw, director of strategy at Delphix, commented: “Given that the spam came as a result of a third party, it’s likely the original breach came from a test system – which demonstrates the importance of adopting multi-layered security measures when working with third party consultants, contractors or outsourcers.”
Marco Cova, senior security researcher at Lastline, added that although the leaked information wasn’t particularly sensitive it might still be used as fodder for follow-up phishing attacks.
El Reg asked Guardian Soulmates for a comment but we’re yet to hear back. ®
Updated to add
In a statement, Guardian News & Media apologised, and blamed the problem on “human error by one of our third party technology providers.” In a statement, the publisher said:
We can confirm we have received 27 enquiries from our members which show evidence of their email addresses used for their Soulmates account having been exposed.
We take matters of data security extremely seriously and have conducted thorough audits of all our internal systems and are confident that no outside party breached any of these systems. Our ongoing investigations point to a human error by one of our third party technology providers, which led to an exposure of an extract of data. This extract contained only members’ email addresses and user ID which can be used to find members’ publicly available online profiles.
We have taken appropriate measures to ensure this does not happen again, and we continue to review our processes and third party suppliers.
Nonetheless, we apologise to our members who were affected. If any of our members are concerned we encourage them to contact us on [email protected]
Continuous lifecycle London 2017 event. DevOps, continuous delivery and containerisation. Register now