Skip to main content

US and UK Armed Forces Dating & Social Networking Service Exposed Over 1 Million Records Online

Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to vpnMentor about a non-password-protected database that contained more than 1.1 million records belonging to Conduitor Limited (trading as Forces Penpals) — a service that offers dating services, and social networking for military members and their supporters.

The publicly exposed database was not password-protected or encrypted. It contained a total of 1,187,296 documents. In a limited sampling, a majority of the documents I saw were user images, while others were photos of potentially sensitive proof of service documents. These contained full names (first, last, and middle), mailing addresses, SSN (US), National Insurance Numbers, and Service Numbers (UK). These documents also listed rank, branch of the service, dates, locations, and other information that should not be publicly accessible.

Upon further research, I identified that the records belonged to Forces Penpals, a dating service and social networking community for military service members and their supporters. I immediately sent a responsible disclosure notice, and public access was restricted the following day. It is not known how long the database was exposed or if anyone else gained access to it. Only an internal forensic audit could identify additional access or potentially suspicious activity. I received a response from Forces Penpals after my disclosure notice stating: “Thank you for contacting us. It is much appreciated. Looks like there was a coding error where the documents were going to the wrong bucket and directory listing was turned on for debugging and never turned off. The photos are public anyway so that's not an issue, but the documents certainly should not be public”. It is not known if the database was owned and managed by Forces Penpals directly or via a third-party contractor.

According to their website, the service operates social networking and support for members of the US and UK armed forces. It claims to have over 290,000 military and civilian users. Founded in 2002, Forces Penpals allowed UK citizens to write to soldiers on active duty in Iraq or Afghanistan. In a 2018 interview, the director of Forces Penpals said “It was specifically about pen pals in the beginning with a little bit of a dating element. It was originally a morale-boosting support service for the armed forces, and a way for us to engage civilians with the military community.” It is unknown if the exposed documents came from the website and forum or from the Forces Penpals dating app, which is available for both iOS or Android devices.

Many individuals choose to remain private online and do not share their image or likeness when using apps or social media. Exposing user images combined with proof of service documents could potentially create significant security and privacy risks. Hypothetically, these documents could contain enough personal information to be a potential identity theft risk, allowing malicious actors to impersonate individuals for fraudulent activities or possible financial crimes. The more information that criminals have on potential targets, the higher the success rate of phishing attacks and social engineering schemes that could deceive people into revealing further confidential data.

For active duty military personnel or those with security clearances, the exposure of their rank, locations, or other details about their service could have potential national security implications. In October 2024, Microsoft and authorities in the United States reported that a hacking group linked to Russian intelligence attempted to infiltrate the systems of numerous Western think tanks, journalists, and former military and intelligence personnel. I am not saying that Forces Penpals’s users were ever at risk of identity theft, phishing, social engineering, or other potential criminal activities. I am only providing a real-world threat scenario for educational purposes.

I recommend companies that provide dating apps or social networking services take additional measures to secure the data they collect and store. This includes:

  • Implementing enhanced access controls and authentication requirements for any cloud storage databases where sensitive information is stored. 
  • Segmenting sensitive documents in a separate location, so that not everything is stored in one place. This can minimize the potential risks of a data exposure and restrict unauthorized access to the most sensitive information that the organization must protect. 
  • Conducting regular security audits and penetration testing can help identify open ports, misconfigured firewall settings or other vulnerabilities that could result in a data breach. 
  • Having an incident response plan in place is also important. No organization intentionally exposes potentially sensitive user data online, but having a plan in place is a proactive way to mitigate damage and notify affected users and stakeholders in the event of a data breach. 
  • Installing a direct communication channel for data incidents helps ensure that responsible disclosure notices reach the correct people or team fast. When it comes to exposed data, time is a critical factor.

I imply no wrongdoing by Conduitor Limited operating as Forces Penpals, and I do not claim that internal data or user data was ever at imminent risk. The hypothetical data-risk scenarios I have presented in this report are exclusively for educational purposes and do not reflect any actual compromise of data integrity. As an ethical security researcher, I do not download the data I discover. I only take a limited number of screenshots solely for verification purposes. It is not known how long the database was publicly accessible, as only an internal forensic investigation conducted by Forces Penpals or the organization that managed the database would be able to identify this information along with any potential suspicious activity related to the breach. I do not conduct any activities beyond identifying the security vulnerability and notifying the relevant parties. I disclaim any responsibility for actions that may be taken as a result of this disclosure. I publish my findings to raise awareness on issues of data security and privacy. My aim is to encourage organizations to proactively safeguard sensitive information against unauthorized access.



See TessMore Internet Business Must-Reads
Labels:

Comments

Post a Comment

Popular posts from this blog

13 Best Cheap Web Hosting Services of 2022 (Ranked)

  Let’s face it: there are a ton of different   web hosting options   on the market with great features. A lot of the time, it comes down to price.  I ranked and reviewed the best cheap web hosting options to try this year.  These reviews are based on pricing, hosting features, integrations, security, speed, and more. Let’s get started. Disclaimer:  This article contains affiliate links that I receive a small commission for at no cost to you. However, these are merely the tools I fully recommend when it comes to hosting a website. You can read my full affiliate disclosure in my  privacy policy . What is the Best Cheap Web Hosting? Here are my top picks for the best cheap web hosting: 1.  Bluehost . Bluehost  is a web hosting company that hosts over 2 million domains collectively. Their initial plan starts at $2.95 per month, and you get a 30-days money-back guarantee with all the plans. Recommended web host by WordPress.org for more than a de...
1 comment
Read more

How to Safely Change Your WordPress Theme (Beginner’s Guide)

Learning how to change your WordPress theme seems like a very basic thing. Simply go to Appearance > Themes , hover over any of the available WordPress themes, and click Activate , right? While that is correct in principle and works well for a site that is basically empty, it gets a bit more complicated for an established website with a lot of content. In that case, it becomes more of a case of how to change your WordPress theme safely and without losing anything. And that’s exactly what will talk about here. In the following, you will learn what risks there are to changing your WordPress theme. We will talk about how to prepare for the switch, different ways of performing it, and how to check your site after you are done. Changing Your WordPress Theme: Potential Risks Before going over the how-to part, let’s first discuss why you need to be cautious when changing your WordPress theme and what things can break. First of all, you can generally relax. WordPress is built in a way ...
Post a Comment
Read more

Five Common iPage Email Problems and Solutions

If you’re paying for some of the popular services offered by iPage – cheap web hosting , domain names , and dedicated servers  – you’re likely using iPage email as well.  iPage is well known for its affordable pricing and user-friendly solutions. However, its services have not always been 100% reliable.  Such is the case with iPage email, which often stops working. If your email is acting up, several possible reasons exist. Read on to find out why you can’t access your iPage webmail and what you can do about it. Reasons why iPage email isn’t working  If your iPage email is not working, that’s usually because you’ve typed in the wrong password or account name or your internet connection is not strong enough. Other suspects are a blocked IP address, a poorly set up email account, and an overloaded queue.  Your IP is blocked  When you enter a wrong password 6 times in a row in under 5 minutes, iPage blocks your IP address out of precaution. You have...
Post a Comment
Read more