Over 1M BeautifulPeople Dating Site User Details Leak Online

An anonymous reader writes: Personal information of over one million users stored by popular dating site BeautifulPeople has leaked, and is now accessible online. We already knew that BeautifulPixel.com was hacked (it happened in November 2015), but this is the first confirmation from a security researcher that the details are legitimate. (BeautifulPeople had downplayed it at the time, saying that it was a staging server, and not a production server, that was hacked.) Security researcher Troy Hunt, citing a source, noted that the data has been sold online. The leaked personal information include email addresses, phone numbers, as well as hair color, weight, job and other details.Troy also noted that of the 1.1 million users details,170 of them have government email addresses. Some of you may remember BeautifulPixel as the creator the "Shrek" virus.

Beautiful people in government?

[magarity]

Ever been to the DMV lately? I'm not surprised there's only 170 total beautiful people in all of government.

Re:Beautiful people in government?

+++ATH0

NO CARRIER

Re:Beautiful people in government?

[Phusion]

Ahh I had a lot of fun with this back in the early 00's. I was too lame to send the packet from the command line, so I had some GUI called ROCKET +++++ ATH0++ or something like that. Ahh youth.

Re:Beautiful people in government?

Ever been to the DMV lately? I'm not surprised there's only 170 total beautiful people in all of government.

Well when you're a nasty looking middle-aged morbidly obese woman it's either DMV, lunch-lady or bus driver.

Re:Beautiful people in government?

[cayenne8]

Ever been to the DMV lately? I'm not surprised there's only 170 total beautiful people in all of government.

Well, if you're talking the DMV...then you are really limiting yourself to a narrow set of the concept of what beauty is....I mean, the DMV is certainly NOT the bastion of racial diversity.

Re: Beautiful people in government?

Early 00's? We were playing with this stuff in the late 80s. :) Ahh youth!

Re:Beautiful people in government?

Ever been to the DMV lately? I'm not surprised there's only 170 total beautiful people in all of government.

Well, if you're talking the DMV...then you are really limiting yourself to a narrow set of the concept of what beauty is....I mean, the DMV is certainly NOT the bastion of racial diversity.

Yes, the one around here is mostly obese black women. One of them wasn't so obese and she was really cute. There was also an Asian guy, he appeared to be of Korean descent. He was the most polite person there by far, though he was a tad "robotic". I guess working at the DMV for a number of years will do that to you. I mean, I'm attracted to women myself, but didn't want to exclude anyone from my description.

A better question is, who the hell goes to DMV a) voluntarily, and b) to get a date?

Re:Beautiful people in government?

[arth1]

A better question is, who the hell goes to DMV a) voluntarily, and b) to get a date?

I don't know about a), but you can date, marry and have children before your number is called. Sometimes there's a half hour wait for the machine where you get a number.

...hair color, weight, job and other details

Any details on how these people are actually beautiful, like number of pageant wins?

Re:...hair color, weight, job and other details

I tried to get a fake Ronnie Coleman account onto the site a couple times (honestly don't recall if I succeeded but I doubt it). You get voted on by existing users in order to activate your membership.

Re:...hair color, weight, job and other details

Any details on how these people are actually beautiful, like number of pageant wins?

I gonna guess exclusion is by weight or BMI. No fat slags allowed. But then, why should we care? It's not like anybody on /. would be on that website.

Re:...hair color, weight, job and other details

[Phusion]

Beautiful people, ugly passwords.

Re:...hair color, weight, job and other details

[jellomizer]

Well that could also exclude muscular people.
Also Fat people in the right spots can be attractive too.

What is the relevance of the gov adresses?

[houghi]

On 1MM addresses, I am amazed that ONLY 170 are gov addresses, but that is not it was worded. Some people just smart enough to not enter their own email address for reason (perhaps they do not have a PC or no Internet at home), but are not smart enough or do not make their Gmail or Hotmail address.

So unless it is some seriously high member of Gov, this is absolute irrelevant information and to me that means that the rest is likely also irrelevant information.

Re:What is the relevance of the gov adresses?

The relevance is that 170 people who were either elected or appointed were too STUPID to use anything other than their work e-mail address.

Re:What is the relevance of the gov adresses?

[ottothecow]

I originally interpreted it as a joke--out of over a million people who have been deemed beautiful enough to participate in an exclusive dating service...only 170 of them are government employees.

But looking at the tweet that announces it, I'd say it is just a judgement of "what idiot uses their government work email to sign up for a dating site"

Re:What is the relevance of the gov adresses?

You realize that the government employs millions of people who are neither elected nor appointed, who still have .gov email addresses to conduct business with... right?

Re:What is the relevance of the gov adresses?

[OzPeter]

So unless it is some seriously high member of Gov, this is absolute irrelevant information and to me that means that the rest is likely also irrelevant information.

So now the Bad Guys[1] have a nice list of people known to be inside government who are vain enough to sign up for a dating site called "Beautiful People" using their government emails. Just by knowing this you know that these are prime targets to be catphished with the aim of delivering malware inside the government systems.

[1] For the threat de jour.

Re:What is the relevance of the gov adresses?

[XxtraLarGe]

So unless it is some seriously high member of Gov, this is absolute irrelevant information and to me that means that the rest is likely also irrelevant information.

I think the significance goes back to the Ashley Madison hack, where it could be shown that it was married people looking for affairs. People on a dating site may or may not be married, so the potential for blackmail is probably greatly reduced.

Re:What is the relevance of the gov adresses?

[bugs2squash]

I didn't think government employees used their gov email addresses for anything, don't they all have personal servers ?

BeautifulPixel?

What does this have to do with beautifulpixel.com?

Re:BeautifulPixel?

Good question, it looks to be some random guy's blog who has nothing at all to do with any of this. TFS could be considered libelous.

Why are things like this tolerated?

Why isn't there condemnation on Slashdot for the hackers doing this? Through no real fault of their own, people have to assume that sites they share information with are secure. If you're posting here, you do it, too. You're trusting Slashdot to not compromise your personal information. These 1+ million people haven't done anything wrong, yet their personal information has been exposed by hackers. Ethics are an important part of technology and that means not using your skills to harm other people. We wouldn't look favorably upon locksmiths using their skills to also be burglars. Why, then, isn't there widespread condemnation of hackers like this on Slashdot? Why is it okay for the people whose information has been exposed to be collateral damage to prove that a site isn't secure?

Re:Why are things like this tolerated?

[ranton]

Why isn't there condemnation on Slashdot for the hackers doing this?

As of the time you posted your comment (15 minutes after the story went live), there was no one on Slashdot saying the victims deserved to be punished. There was one post asking how they determined if someone was attractive enough, which is just an inquiry not a condemnation. Did you post this just assuming there would be a lot of victim shaming in the next few hours?

I for one agree there is nothing wrong with this site. I doubt I would make the cut, but what's wrong with that? When I was on Match.com (where I met my wife) I passed over many people I was not attracted to and I assume many women did the same to me. Sites that cater to a certain group, whether it be religious affinity, wealth, attractiveness, etc. don't strike me as more demeaning than the standard rituals of dating already are. They just make it more efficient.

Re:Why are things like this tolerated?

I was a victim of a hack last year and it was very annoying. Who did I blame? That's right, the company whose woeful security allowed the data to be stolen.

Sure, the hackers are a pain in the arse, but the fact that my data was accessed from something as basic as an SQL injection makes my blood boil.

Re:Why are things like this tolerated?

Why isn't there condemnation on Slashdot for the hackers doing this? Through no real fault of their own, people have to assume that sites they share information with are secure. If you're posting here, you do it, too. You're trusting Slashdot to not compromise your personal information. These 1+ million people haven't done anything wrong, yet their personal information has been exposed by hackers. Ethics are an important part of technology and that means not using your skills to harm other people. We wouldn't look favorably upon locksmiths using their skills to also be burglars. Why, then, isn't there widespread condemnation of hackers like this on Slashdot? Why is it okay for the people whose information has been exposed to be collateral damage to prove that a site isn't secure?

Because we are all too ugly to join and are all therefore far too busy revelling in schadenfreude to care about the personal details of a bunch of egotistical snobs who measure human worth in how closely a person conforms to the bodily fashion ideals of the moment being leaked onto the internet. Anybody who responded to the Shrek virus gimmick and joined that site quite frankly has it coming.

Re:Why are things like this tolerated?

My comment is based on the reaction to other similar data breaches, many of which have been reported about on Slashdot. I don't see this being dissimilar at all from the Ashley Madison data breach. As I recall, several articles were posted about that particular breach. Another example is the articles about security breaches in Facebook. Inevitably there are a lot of comments about how people are foolish to use Facebook, rather than criticizing Facebook for its security and particularly objecting to criminals who exploit such vulnerabilities. You're right that, when I posted this, there were no such comments yet. But prior experience from other articles is why I chose to post this anyway.

Re:Why are things like this tolerated?

[nitehawk214]

People have to assume that sites they share information with are secure.

No we dont.

You're trusting Slashdot to not compromise your personal information.

Hahahaha no. There is not a bit of my personal information in my slashdot account that I am not explicitly making public.

Why is it okay for the people whose information has been exposed to be collateral damage to prove that a site isn't secure?

Who says it is ok? A bunch of people going "shame on you!" isn't going to make hacks happen less often. What we need to do is hold companies that let private data go public to the fire.

Yes, there were a bunch of hypocrites cheering at the Ashley Madison breach, and maybe people jealous of users of this site? But these are not people that care about information security, they are just for any security breach that helps their agenda.

Re:Why are things like this tolerated?

You put your personal info on Slashdot?

Captcha: Condom.

Re:Why are things like this tolerated?

[david_thornley]

I assume that some of the sites I share information with are secure.

I don't care if Wikileaks publicizes all the information on my Slashdot and Facebook accounts, and goes through several other data sources. I assume that Facebook, in particular, is completely insecure, so nothing I don't want on the front page of tomorrow's New York Times goes on it.

However, I have accounts that I really don't want public. I don't want anyone getting into my bank accounts and doing anything with my money (I actually don't care if they know what I spend money on). I use my account on my health care provider's site fairly frequently, and although there's stuff I don't care if anyone knows (I'm going in for a sleep study looking for apnea on Wednesday, for example) there's stuff I really don't want to discuss in public (examples withheld).

Re:Why are things like this tolerated?

You're trusting Slashdot to not compromise your personal information.

... which would be a throwaway e-mail account used for registration (like Mailinator but much less open), a handle I made up, and an IP address in a foreign country belonging to a discreet VPN service that doesn't log anything.

Yeah, I'm really trusting Slashdot! Oh noes! If someone got ahold of that much info, I'd really be up shit creek without a paddle. Oh wait...

I treat all sites like Slashdot with similar precautions. I don't use Facebook. I never signed up for the Panopticon the Net is becoming so fuck 'em. If Google or whoever really wants my marketing data they need to negotiate with me and give me a piece of the $$ pie by my express written consent. They're not entitled to just take what they want. I made no such agreement. Funny, the way using an ad blocker makes you a "thief" but being tracked against your will by companies offering "free" services you don't even use is somehow a quid pro quo. I'm tired of how one-sided this "debate" is so I did something about it. So can you. Learn how tracking works and how to mitigate it, it's not that hard. Then get a VPN.

If you or lots of other people want to bend over because you're too lazy or apathetic, that's your choice and I'm sure the creepy marketing trackers thank you. Consider that you're giving up something that obviously has value (your info) because companies will go to great lengths to get it, and you're doing that for free? Because inaction is easier? How about every company that tracks you (they are legion) whose "free" services you do not use? Seems to me you're getting ripped off. Deny them what they want. Or poison their data with bogus info. Do something.

If you want just one example of what can be done, consider that years ago, just with "loyalty" card data, Target knew when women were pregnant... before the woman herself knew. That was years ago. It's way more invasive than knowing what coffee you like.

Re:Why are things like this tolerated?

Inevitably there are a lot of comments about how people are foolish to use Facebook, rather than criticizing Facebook for its security and particularly objecting to criminals who exploit such vulnerabilities.

People ARE foolish to use Facebook. That's true.

Facebook DOES deserve to be criticized for any faulty security of theirs. That's also true.

Criminals looking for security vulnerabilities is a given. If you run the slightest, lowest-volume, most obscure little internet-facing server of any kind, it will be attacked. Dozens and dozens of times daily, every single day. Tools like SSHGuard are mostly helpful because they keep the bullshit from filling up your auth.log. This is the reality of the internet - it's a hostile network! Anyone who doesn't understand that has no business placing servers onto it. Anyone who does so anyway is simply negligent.

Blaming "the hackers" for a breach is like blaming gravity because you drove your car off a cliff. The problem was not gravity, it was that you weren't watching the road. You knew this planet has gravity. You knew the internet is a hostile network. From simple observation, one can also know that you avoid a whole host of problems by not using sites like Facebook. If you think Facebook is so very important that you just can't live without it, and on a multi-purpose global communications network you just plain can't (won't) find another way to communicate, then you assume a risk. It's that simple, folks.

Article's author mildly illiterate

[DogDude]

"a site dedicated to letting people see if they’re details are available online,"

BeautifulPeople, whew,

[OffTheLip]

finally a data breach I don't need to be concerned I am included in.

So...

... were they really beautiful people or is this just another dating site that engages in false advertising?

Re: So...

... and is it a mirror of the AM database?

Re:So...

[ranton]

... were they really beautiful people or is this just another dating site that engages in false advertising?

In this case a leak of the images and of the votes each person gave on potential new users would be far more interesting than just a users table dump. It could make for an interesting computer vision project identifying attractiveness. Or a project showing how a user's ethnicity affects his/her rating of people of different ethnicities. Plenty of non-PC research topics to go around.

Re: So...

I kind of assumed that's what the tinder / grinder / etc apps were doing. Building up attractiveness profiles so they can give you ads with only people YOU find attractive. Amazing !

Meh...

[Frosty+Piss]

It's been shown in the past that a large number of "members" of these sites, often the majority, are fake, either created by the site itself for marketing purposes (fraud), or "professionals" i.e. hookers.

Law of Converse Website Names

Was first discovered when scientists were studying dating website URLs...

Makes you wonder...

Remember the Ashley Madison data-breach? Remember how it turned out it there were about 20,000 men PER WOMAN on the site, depending on how you count legitimate users? Wouldn't it be funny if it turned out 80 or 90 percent of these "beautiful people" were objectively DOGS?

HAhahahahah!

Re:Makes you wonder...

Given that sexual attractiveness is entirely subjective in nature, you're objectively an idiot.

Beautiful People?

[ERJ]

Thank goodness all of us here at Slashdot are in the clear.

Sorry....but you know someone had to make the joke.

Where is the mention of the photos

[John+Jamieson]

So, personal details are released. No mention of actual photos.... inquiring minds want to know what members actually consider to be a beautiful person

It's mostly fake anyway

All commercial dating sites have > 90% fake female profiles. That's how they get big. There is no other way.

Not much lost here except info for all the keyboards-for-hire and their fake pictures and info.

Nice one, manishs

[Hognoxious]

the creator the "Shrek" virus

There's no end to your talent, is there?

Which would be great if there was a beginning.

Re:Nice one, manishs

Yeah, WTF does BeautifulPeople have to do with BeautifulPixel?

Lonely Hackers

What is a lonely hacker to do when there is so few beautiful people in the lair at any time of the day?