image

Social network for US and UK military personnel exposed the sensitive data of 1.1M users

Forces Penpals, a dating service and social network for members of the US and UK armed forces and their supporters since 2002, was found leaking personal details of over 1.1 million registered users.

This issue was identified by Jeremiah Fowler, a prominent cybersecurity researcher recognized for uncovering and advising on securing misconfigured cloud servers and databases.

According to Fowler’s report for VPNmentor, shared with Hackread.com ahead of its publication on November 20, 2024, the data belonged to Conduitor Limited, which publicly trades as Forces Penpals.

The Exposed Data

The analysis revealed that the leaked information included both Personally Identifiable Information (PII) and sensitive images. Additionally, the exposed data contained Social Security Numbers (SSNs) of unsuspecting users. This echoes the August 6, 2024, breach at National Public Data, where a hacker leaked 3.6 billion records from users in the USA, Canada, and the UK, which also included billions of SSNs.

In the case of Forces Penpals, the server exposed the following data:

  • Images
  • Locations
  • Full names
  • Mailing addresses
  • Social Security Numbers
  • National Insurance Numbers (Similar to SSN in the UK).

Fowler noted that the server also contained additional data that should not have been exposed. This included documents such as proof of service, military ranks, the branch of service the individual belongs to, and other sensitive details.

“The publicly exposed database was not password-protected or encrypted. It contained a total of 1,187,296 documents. In a limited sampling, a majority of the documents I saw were user images, while others were photos of potentially sensitive proof of service documents.”

Jeremiah Fowler

Current Status

Forces Penpals has acknowledged the breach, attributing it to a coding error that misdirected documents and left a directory listing publicly accessible. The company has since taken steps to secure the database.

However, it is still unclear whether any malicious actors accessed the exposed information. Forces Penpals has yet to disclose the duration of the exposure or report any signs of suspicious activity.

It is also unclear whether the data was leaked through the website or the company’s iOS and Android apps. Nevertheless, this incident is a reminder for similar services to focus on data security and safeguard their users’ privacy from growing cyber threats.