HIV+ dating app leaks users’ private information, threatens discoverer with infection

A dating app for HIV-positive people suffered a breach compromising the personal details of its 4,926 users, according to security researchers. After being notified, the app’s company threatened to infect the IT sleuths who uncovered the leak with HIV.

According to information obtained on December 8 by a security researcher from the website, the personal information of users of the Hzone dating app, who may all be HIV positive, was exposed in a data breach. This would include such details as their date of birth, email address, ethnicity, last login, IP address, number of children, and password hash.

The database also stores private messages posted by users that often contain persona sensitive information concerning their condition and treatment. For example, Chris Vickery, the researcher who first reported the leak, found the following message between users:

“Hi. I was diagnosed 3 years ago now. CD4 and Viral Load is relatively good. I’m therefore not on Meds yet. My 6-monthly blood tests are due in June. Planning to go on meds. I’m worried about the side effects. What kinds of side effect have you experienced? Xx”

If users had subscribed to the otherwise free app’s premium service, their name, postal address, and credit card information was vulnerable as well.

This information could be invaluable to cyber criminals who, in addition to using the stolen cache of personal information to commit identify theft, could extort Hzone users who have kept their HIV status secret by threatening to reveal it.

Hzone did not initially acknowledge the breach after it was disclosed by the security researchers and finally fixed the issue five days after being notified, but said that the details of the leak would be released to the public. In response, Hzone threatened to infect the administrator of with HIV.

READ MORE: Woman ticketed for having HIV wins $40k from Michigan town

“Why do you want to do this? What’s your purpose? We are just a business for HIV people,” Hzone wrote in an email, according to security news site CSO. “If you want money from us, I believe you will be disappointed. And, I believe your illegal and stupid behavior will be notified by our HIV users and you and your concerns will be revenged by all of us. I suppose you and your family members don’t want to get HIV from us? If you do, go ahead.”

Hzone has since apologized for the threat, CSO said, but has, nonetheless, refused to notify their users of the leak and accused of altering the data that they published.

RT America reached out to the administrator of Hzone for comment, and will update the story if a response is received.