A website for Muslims that want to find love has suffered a very serious security breach that has the potential to put the lives of female members at risk. The dating website is called Muslim Match and was discovered to have been hacked by a security researcher called Troy Hunt last week.
All in all, sensitive information pertaining to 150,000 members were stolen during the attack. Unfortunately, because those details have been published online – for anyone to see – it is worried that the information could cause female Muslims harm in particular nations around the world.
Amongst the information that has been leaked to the Internet are 700,000 messages; electronic communications sent to and from the Muslim Match subscribers who have been affected by the cyber penetration.
A message has been posted to the Muslim Match website in response to the hack that reads as follows,
‘We have been made aware of an alleged security breach and we are reviewing our systems as we work to remedy the situation and tighten our security.’
Perhaps most worrying of all is the fact that on top of members’ names, email addresses, Skype names, IP addresses, locations, marital status’, employment details’ and whether they converted to Islam or not – the leaked data also reveals whether they would be interested in polygamy or not – something that could be devastating revelation for female members living in dangerous locations such as Pakistan.
While there is no doubt that the leaked information could cause embarrassment for certain male members of the site, the worry is that the risk for women is far greater. According to the BBC ‘the bulk of users affected are believed to live in the United Kingdom, United States, and Pakistan.’ Those locations were ascertained from the leaked IP addresses, and it is due to those findings that the concern is being raised.
Pakistan is considered the 3rd most dangerous place in the world for women, and is a location where it is common for women to fall victim to ‘honour killings’. It is for that very reason that there is a concern that female members from Pakistan could be in grave danger following the hacker’s attack.
In fact, according to Pakistan’s human rights commission, 1000 girls and women fall victim to those horrific ‘honour killings’ every single year. A grim reality that the hacker may have inadvertently walked female members of Pakistan’s society straight into.
Muslim Match’s Facebook page (currently also down) explains that the website is for: ‘Single, divorced, widowed, married Muslims coming together to share ideas, thoughts and find a suitable marriage partner.’
Some of the messages leaked to the Internet from the hack read as follows,
‘I wanna marry you – if u agree I send my photos and details.’
‘You will enjoy when you speak to me, I am genuine and truthful and am seriously seeking a right muslimah who could be a friend, a companion to hold hands thru journey of life and beyond.’
Muslim Match – Terrible Cyber Security
For the time being, Muslim Match has closed down the entire website claiming that it will not reopen at least until after the end of Ramadan (Eid al-Fitr is today) later this week.
Unbelievably, considering the heightened sensitivity involved with holding the romantic data of subscribers living in frighteningly repressive nations. Muslim Match held all of the information on their servers so insecurely that it was hacked with simple SQL-injection. Allowing the hacker easy access to data that could end women’s lives.
Internet security journalist Joseph Cox made the following comment,
‘Using information within the dataset, Motherboard was able to link private messages with specific users. By cross-referencing the different files, it was possible to find out the username of the person who sent the message, as well as their logged IP address and poorly-hashed, MD5 password. Some of the messages also include extra information, such as Skype handles, which users have exchanged.’
One Muslim Match user came forward to express their concern about the hack and the fact that the website was so poorly secured,
‘I feel disappointed but the site didn’t seem to be secure in the first place. They never used https.’
Ethical Hacking Gone Wrong?
A hacker called TheCthulhu – who has in the past also posted information from data leaks – has on this occasion also posted the sensitive data. As useful as it may be to highlight the security flaws and vulnerabilities of certain websites (often referred to as white hat hacking); in the case of Muslim Match one wonders whether Cthulhu has got it wrong.
I for one would hope that if hacked information could lead to a senseless loss of life, hackers might abstain from spreading that leaked data further afield. Especially considering Cthulhu’s hacker persona is based around themes of ‘a greater good‘ gained from exposing corruption – one might have hoped – Cthulhu would have decided against publishing this particularly sensitive data set?
The good news is that as yet there appears to have been no unnecessary fallout from the hack. Let’s hope it stays that way.
Avoid Being a Victim
Finally, for anybody wondering how they could have avoided been involved in the hack here are some helpful hints:
When joining a website like Muslim Match join in a fake name, and simply be honest with any prospective romantic candidates about your reason for doing so. If and when a rapport has been established; take an email address from the person that you have met and move over to a more secure (and private) platform for exchanging your real names and details.
Of course, on this occasion IP addresses were also published online, which is how we know that some of the members were from Pakistan. Your IP address can be used to pin you down, for that reason anybody living in a nation with heightened security risks is strongly advised to use a VPN. A VPN will not only encrypt all your data (so that hackers, your ISP, and the government can’t see what you are doing) but will also allow you to spoof your IP address to a different location.
The outcome of doing so (on this occasion) would have meant that an incorrect IP address would have been published to the Internet by the hacker – protecting your identity.