SINGAPORE: Personal details of users of popular dating app Coffee Meets Bagel (CMB) may have been "acquired by an unauthorised party", the company said on Thursday (Feb 14).

The San Francisco-based company notified users of the breach in a mass email on Thursday.



"On Feb 11, 2019, we learned that an unauthorised party gained access to a partial list of user details. Once we became aware, we quickly took steps to determine the nature and scope of the problem," the company wrote.



The affected information consists of names and emails prior to May 2018.

"As a reminder, we never store any financial information or passwords," said CMB.



According to a report on tech news website the Register, as many as 6 million accounts on Coffee Meets Bagel have been compromised. Account databases from 16 hacked websites, comprising a total of 617 million accounts, were listed for sale on the dark web for less than US$20,000 in Bitcoin.



However, the passwords are said to be hashed, or one-way encrypted. They cannot be used unless cracked beforehand.

A Channel NewsAsia reader said she was notified about the breach by CMB via email on Thursday. Prior to this, she had deleted her account in May 2018. CMB customer service confirmed her account had been "permanently deleted" and her personal data removed, but she still received the email.



CMB said that steps are being taken to protect their users, and they have engaged forensic security experts to review their systems. Vendor and external systems are being audited and reviewed to ensure there are no compliance issues or third party breaches.

"We continue to monitor for suspicious activity and we are coordinating with law enforcement authorities regarding this incident," the statement read.



"As always, we recommend you take extra caution against any unsolicited communications that ask you for personal data or refer you to a web page asking for personal data. We also recommend avoiding clicking on links or downloading attachments from suspicious emails."

In response to queries from Channel NewsAsia, CMB said no other user information was compromised apart from emails and names.

The incident was part of a larger breach affecting 620 million accounts across 16 companies as reported on the Register, it said.

“With online dating, people need to feel safe. If they don't feel safe, they won't share themselves authentically or make meaningful connections.

"We take that responsibility seriously, so we informed our community as soon as possible - regardless of what calendar date it fell on - about what happened and what we are doing about it,” said CMB.