More than 70 thousand photos of Tinder users are being shared across members of an online cybercrime forum. At this time only women are being targeted. Reporters found out from New York City's cyber sexual assault task force. They were told the images were found on a website which deals with malicious software. The photo dump was accompanied by a text file that contains the user IDs of 16 thousand users as well. That may account for the total amount of people affected by the leak.
The reason behind the theft is unclear
The reason for the collection of these photos is unclear. Still, their availability for criminals online opens the possibility they may be used for harassment or scams. There are clues in the photos, specifically the phone models, such as iPhone X. There are also examples of metadata, which shows the images were taken recently. The timestamps date back to October 2019.
Tinder told media outlet Gizmodo the company will take whatever steps it could to remove the data outside their platform. Cybersecurity company White Ops researcher Aaron DeVera expressed doubts. He believes the files will be easy to take down and offered his help with the location of the archive.
Back in 2017, a researcher working for the Google subsidiary Kaggle took roughly 40 thousand photos from Bay Area users to make a facial dataset, using them to power a machine learning model. Tinder labeled that as a violation at the time, saying they would investigate further.
Since then, the company invested additional resources in curbing the misuse of the app, but their security team declined to disclose information on the specific actions taken to do that. A Tinder official mentioned the company is refusing on the grounds of a 'security through obscurity' practice, to obfuscate better the security measures they are using. The spokesman said the company works hard to keep its members and information safe, knowing that the work is ever-evolving, and they are continually implementing new best practices to make it harder to commit violations like the recent one.
The images may be used to create fake profiles
Tinder also mentioned the photos are public and may be viewed by others through the use of their app, though the app wasn't made to allow such a massive download of user images. The app also allows users to look at the profiles of other uses within a 100-mile radius.
What DeVera also found particularly disturbing was the fact that the victims were entirely female. The photos on the dating site may not necessarily be something the users want to be seen by the general public, as they may keep some of them private for other specific users. The leaked photos are not only sorted out by userID but also sorted whether or not there is a face in the picture, which means the data may be used to train biometric software or image recognition systems.
In such cases, however, there are other possibilities with the photos. There are more issues with the leak, since the images can be used to create fake personas and profiles. These may be used for social engineering and scams. Data dumps of this kind often attract scam artists who use them to make many convincing accounts, said DeVera.