Dating app Coffee Meets Bagel has informed all of its users today, Valentine's Day, that it has suffered a security breach and personal information may have been stolen.
Instead of a bunch of roses and a greetings card from a mystery admirer, Coffee Meets Bagel users received an email informing them of the hack, and explaining how the company had hired "forensic security experts" to find out what went wrong.
"We recently discovered that some data from your Coffee Meets Bagel account may have been acquired by an unauthorized party," the email began, adding: "The affected information only includes your name and email address prior to May 2018. As a reminder, we never store any financial information or passwords."
The company did not say how many users may have had their data stolen, and urged users to take extra caution when receiving unsolicited communications that ask for personal information.
The admission comes in the same week that 8fit, a fitness application, also told users — including this reporter - that it was the victim of a cyber attack. The fitness company said it become aware of the data theft on February 8, and urges users to reset their passwords.
Data stolen included names, email addresses, hacked passwords, and "limited profile information". The company was at pains to say that cleartext passwords were not stolen from the database, meaning user accounts should still be secure. Also, no payment data "of any kind" was accessed by the hackers.
Both of these companies appear to have been caught up in the same massive cyber attack, which in total saw 617 million account details stolen and allegedly put up for sale on the dark web for $20,000 in bitcoin.
According to The Register, which first reported on the attack, 16 websites were hacked in total, including Dubsmash (162 million use details stolen) MyFitnessPal (151 million), MyHeritage (92 million), 8fit (20 million), 500px (15 million), and Coffee Meets Bagel (six million).
Speaking to The Register, the alleged hacker said they have up to 20 databases of stolen data to put online, with the aim being that these credentials will make life easier for other hackers. Assuming users pick the same email address for multiple online services, then hackers can start to build a larger jigsaw of their identity, which could lead to further data being exposed.
"I don't think I am deeply evil," the hacker is reported as saying. "I need the money. I need the leaks to be disclosed...Security is just an illusion...We all know measures are taken to prevent cyber attacks, but with these upcoming dumps, I'll make hacking easier than ever."
One such measure, which is a quick, simple and proven way to help boost your online security is two-factor authentication. Once enabled, this stops anyone logging into your accounts even if they have your email address and password.
Fitness app 8fit informed users of the hack on February 13.
This is because, when a login attempt is made (to your Facebook account, for example) from a device which you have never used - in other words, the hacker's device — a text message is sent to your phone number. This text contains a code, which must be entered to allow the login attempt.
Therefore, without access to your email address, password, and your phone to read the text message, your account cannot be accessed.
As ever, it is also important to not repeat passwords for multiple apps and services. You can try using a password manager for this, which suggests a strong and unique password for each account you create, then saves it so you don't need to remember it.
It is also recommended that you treat suspicious emails with caution. If an email asks for your login details, then it should be ignored - and the same goes for if the email links you to a page which also asks you to login.
As we are increasingly living our lives online — and fresh user accounts are seemingly needed for everything, from apps to smart light bulbs — consumers must remain vigilant and adequately protect themselves from massive cyber attacks like this.