Massive data exposure affects users of dating app Headero, researchers warn

A significant data security lapse has potentially compromised the sensitive personal information of hundreds of thousands of users of the dating and hookup app Headero, according to cybersecurity researchers from Cybernews. The researchers uncovered an unsecured MongoDB database containing an extensive cache of user data, sparking concerns over privacy and potential exploitation.

The exposed database, which was accessible without password protection, reportedly included over 350,000 user records, more than three million chat logs, and upwards of one million chat room entries. The data included full names, email addresses, social login credentials, JSON Web Tokens (JWTs), profile images, device tokens, sexual preferences, STD status, and exact GPS locations of users.

Cybernews identified the database as belonging to ThotExperiment, a U.S.-based developer behind the Headero app. Upon being notified, the company promptly secured the database and claimed that the exposed records were from a test environment. However, Cybernews analysts raised doubts about this explanation, noting that the scale and detail of the records suggest the possibility that actual user data was involved.

At this time, it remains unclear how long the database was left exposed online or whether malicious actors accessed the information before it was secured. No direct evidence of data abuse has surfaced so far, but the nature of the leaked information, particularly the GPS locations and health-related disclosures, heightens the risk of targeted phishing campaigns, identity theft, or even physical safety concerns.