The personal data of 1.1 million users deemed attractive enough for controversial dating site BeautifulPeople.com were leaked, according to news reports and an expert who runs the security-analysis site HaveIBeenPwned.com on Monday. The breach included some 15 million private messages sent between members of the website, as well as details such as encrypted passwords, email addresses, mobile-phone numbers and personal information such as height, weight, job, favorite movie and TV show.
The information is now being sold on the online black market by data traders, reported Forbes.
BeautifulPeople.com confirmed with Forbes that it was aware of the breach, which was first reported in December 2015. It re-sent the statement released at the end of last year, saying, "This was a staging server and not part of our production database. The staging server was immediately shut down." The statement also said that all vulnerable users were contacted at the time of the hack. But two BeautifulPeople.com users who found their information in the leaked database, obtained by researcher Chris Vickery last year, told Forbes they were never contacted by the website.
Confirming the accuracy of leaked accounts is security expert Troy Hunt, who runs HaveIBeenPwned.com, a website that allows you to search your email address to see if you've been affected by a data breach. Hunt tweeted that, of the 1.1 million leaked accounts, 170 used a government email addresses. "I keep seeing a heap of government stuff where it probably shouldn't be," he wrote.
BeautifulPeople.com, which is owned by BeautifulPeople Network, has seen its share of controversy since its inception in 2002, when it launched in Denmark before eventually going global in 2009. The site defines itself as a dating space for attractive people only, allowing its community of users to vote to reject any applicants deemed too mediocre to join. A reported 5,000 users were removed from the site for "weight gain," The Guardian reported in 2010.
Troy Hunt of HaveIBeenPwned.com told Forbes that he was tipped by traders who illegally buy and sell hacked data.
On this large and complex black market for hacked data, one particularly valuable piece is access to millions of real users' passwords. Cyber-criminals buy these data lists with the intent of uploading them to massive databases such as rainbow tables, a sort of dictionary of possible passwords used to hack encrypted accounts.
In February this year, 27 million passwords hacked from dating website Mate1.com were reportedly sold for 20 bitcoin, around $8,700 at the time. Troy Hunt said he does not know how much the leaked data from BeautifulPeople.com eventually sold for.