Hzone is a dating app for HIV-positive singles, and representatives for the company claim there are more than 4,900 registered users. Sometime before November 29, the MongoDB housing the app's data was exposed to the Internet. However, the company didn't like having the security incident disclosed and responded with a mind melting threat – infection.
Today's story is strange, but true. It's brought to you by DataBreaches.net and security researcher Chris Vickery.
Vickery discovered that the Hzone application was leaking user data, and properly disclosed the security issue to the company. However, those initial disclosures were met with silence, so Vickery enlisted the help of DataBreaches.net.
During the week of notifications that went nowhere, the Hzone database was still exposing user data. Until the issue was finally fixed on December 13, some 5,027 accounts were fully available on the Internet to anyone who knew how to discover public-faced MongoDB installations.
Finally, when DataBreaches.net informed Hzone that the details of the security issues would be written about, the company responded by threatening the website's admin (Dissent) with infection.
"Why do you want to do this? What's your purpose? We are just a business for HIV people. If you want money from us, I believe you will be disappointed. And, I believe your illegal and stupid behavior will be notified by our HIV users and you and your concerns will be revenged by all of us. I suppose you and your family members don't want to get HIV from us? If you do, go ahead."
Salted Hash asked Dissent about her thoughts on the threat. In an email, she said she couldn't recall any response that "even comes close to this level of insanity."
"You get the occasional legal threats, and you get the 'you'll ruin my reputation and my whole life and my children will wind up on the street' pleas, but threats of being infected with HIV? No, I've never seen that one before, and I've reported on other cases involving breaches of HIV patients' info," she explained.
The data leaked by the exposure included Hzone member profile records.
Each record had the member's date of birth, relationship status, religion, country, biographical dating information (height, orientation, number of children, ethnicity, etc.), email address, IP details, password hash, and any messages posted.
Hzone later apologized for the threat, but it still took them some time to fix their flawed database. The company accused DataBreaches.net and Vickery of altering data, which led to speculation that the company didn't fully understand how to secure user information.
An example of this is one email where the company states that only a single IP address accessed the exposed information, which is false considering Vickery used multiple computers and IP addresses.
In addition to questionable protection practices, Hzone also has a number of user complaints.
The most serious of them being that once a profile has been created, it cannot be deleted – meaning that if member data is leaked again in the future, those who no longer use the Hzone service will have their histories exposed.
Finally, it appears that Hzone users will not be notified. When DataBreaches.net asked about notification, the company had a single comment:
"No, we didn’t notify them. If you will not publish them out, nobody else would do that, right? And I believe you will not publish them out, right?"
Because security by obscurity always works... always.