Written by Jeff Stone

Tens of millions of records about users of different dating apps have been discovered in a single database that doesn’t include any password protection, according to new research findings.

The records discovered by researcher Jeremiah Fowler mostly were about American users, based on accessible IP addresses and geolocation information. Other data included age, location and account names — a roadmap Fowler followed to identify users across multiple other platforms and dating apps to verify they were real.

A sampling of 10,000 users revealed that 8,063 were from the U.S., 356 were from the U.K., 219 from Canada and 151 from Australia and other random English-speaking countries, he said in an email to CyberScoop.

About 42.5 million records were exposed, Fowler said. Dating logs made up 38.3 million records, while 3.87 million consisted of “geonames,” Fowler said. He did not reveal the location of the database, which uses the Elastic format.

While it’s not clear who controls the leaky database, Fowler accessed the site’s Whois domain registration to find that a subway line in Lanzhou, China was given as the owner’s address. Dialing the phone number only reached a line that had been powered off, he said.

Apps mentioned in the database seemed meant to appeal to as many people as possible, the researcher wrote in a blog post Tuesday, with names ranging from “Christiansfinder” and “Cougardating” to “Mingler” and “Fwbs,” shorthand for “friends with benefits.” Each had a dedicated website or app under those names, Fowler said.

The database also contained Chinese-language commands, which translated to “The model update completion event has been triggered, syncing to the user,” according to Fowler. The only way to contact the developer would be to install the applications.

“I am not saying or implying that these applications or the developers behind them have any nefarious intent or functions, but any developer that goes to such great lengths to hide their identity or contact details raises my suspicions,” Fowler wrote. “Call me old fashioned, but I remain skeptical of apps that are registered from a metro station in China or anywhere else.”

The database, which was still online at press time, did not include financial information, though it did provide a path for outsiders to view personal details about an app user, Fowler wrote.

Fowler’s findings are yet another example of sloppy database-security practices potentially affecting unsuspecting victims. A security researcher in February told CyberScoop about an unrelated database containing information from roughly 14 million Instagram accounts, apparently collected by a third party that was scraping data for analysis later. Motivation in that case could have included targeted marketing or combining leaked usernames with stolen passwords to breach social media identities.