BeautifulPeople.com, you may remember, is a dating site that allows members to vote on hopeful enlistees based on their looks, ensuring that people who belong meet certain standards of both attractiveness and shallowness. It bills itself as “a dating site where existing members hold the key to the door.” Turns out, the site maybe should have put them in charge of server security, as well. The personal data of 1.1 million members is currently for sale on the black market, after hackers took it from an insecure database.

The Hack

Last December, security researcher Chris Vickery made a curious discovery while browsing through Shodan, a search engine that lets people look for internet-connected devices. Specifically, he was looking through the default port designated for MongoDB, a type of database-management software that, until a recent update, had blank default credentials. If someone using MongoDB didn’t bother to set-up their own password they would be vulnerable to anyone just passing through.

“A database came up called, I believe, Beautiful People. I looked in it, and it had several sub-databases. One of those was called Beautiful People, and then it had an accounts table that had 1.2 million entries in it,” says Vickery. “When that type of thing comes up and it’s called ‘Users,’ you know you’ve hit something interesting that shouldn’t be available.”

Vickery informed Beautiful People that its database was exposed, and the site quickly moved to secure it. Apparently, though, it didn’t move quickly enough; at some point, the dataset was acquired by an unknown party, which is now selling it on the black market.

For its part, Beautiful People has attempted to explain away the breach by saying it only affected a “test server,” as opposed to one in use for production, but that’s a meaningless distinction, says Vickery.

“It makes no effing difference in the world,” says Vickery. “If it’s real data that’s in a test server, then it might as well be a production server.”

Who’s Affected?

If you were a Beautiful People member before last Christmas—the vulnerability was addressed on Dec. 24—you may well be! You can check for sure at HaveIBeenPwned, a site operated by security researcher Troy Hunt.

Update: In an emailed statement, a Beautiful People spokesperson says: "The breach involves data that was provided by members prior to mid July 2015. No more recent user data or any data relating to users who joined from mid July 2015 onward is affected," and adds that all impacted members are being notified, as they were when the vulnerability was originally reported in December.

How Serious Is This?

In terms of scale, it’s nowhere near as bad as last year’s 39 million-member Ashley Madison hack. The information that’s leaked also isn’t quite as devastating as being outed as an active adulterer, and Beautiful People says no passwords or financial data were exposed.

Still, as you might imagine, a dating site knows a whole lot about you that you might not want broadcasted to the world. Forbes, which first reported the breach, notes that it includes physical attributes, email addresses, phone numbers, and salary information—over “100 individual data attributes,” according to Hunt. Not to mention millions of personal messages exchanged between members.

Even more serious, perhaps, is the issue of database security at large. Until MongoDB improved security with version 3.0 last spring, says Vickery, its default was to ship its software with no credentials required at all.

That’s not ideal, but the onus is still on companies like Beautiful People to put in the effort to lock down the sensitive information with which they’re entrusted. Especially since it’s so easy to do so, as MongoDB understandably wants to stress. "The potential issue is a result of how a user might configure their deployment without security enabled," says MongoDB VP of Strategy Kelly Stirman.

“A trained monkey could have protected [this database],” says Vickery, with a more blunt assessment. “That’s how easy it is to protect. It’s an incredible oversight, it’s massive negligence, but it happens more often than you think.”

Whatever you may think of a site like Beautiful People, the insecurities that prop it up shouldn't extend to its stash of sensitive data.

This post has been updated to include comment from Beautiful People and MongoDB.