Dating app Coffee Meets Bagel emailed users today – Valentine's Day – to alert them there had been a data breach.
Jenn Takahaski of Coffee Meets Bagel told BuzzFeed News, "we informed our community as soon as possible—regardless of what calendar date it fell on—about what happened and what we are doing about it." She confirmed that 6 million Coffee Meets Bagel users were affected.
According to the email sent to users a data breach was discovered on Feb. 11. Some user data from before May 2018 was accessed by a third party. Names and email addresses were exposed, but not passwords or any credit card info.
Last summer, Coffee Meets Bagel, which until then required a Facebook account to login, added the option of logging in using a phone number instead. At the time, this was advertised as a more private option after the Cambridge Analytica scandal. "We love Facebook for our gossip and friends update fix just as much as the next user, but unfortunately, Facebook and email login options pose higher risks — like the possibility of users creating multiple fake accounts," the company said at the time. It's unclear if the new login method is related to the data breech, or how many total users were affected.
Shortly after that announcement, Facebook in September announced a a security issue could have exposed millions of users’ personal information.
Earlier this week, it was reported that 617 million stolen accounts — including the 6 million from Coffee Meets Bagel were listed for sale on the dark web for bitcoin. These were the affected sites, according to The Register:
Dubsmash, MyFitnessPal, MyHeritage, ShareThis, HauteLook, Animoto, EyeEm, 8fit, Whitepages, Fotolog, 500px, Armor Games, BookMate, CoffeeMeetsBagel, Artsy, and DataCamp
Here's Coffee Meets Bagel's Valentine's Day email to users:
We recently discovered that some data from your Coffee Meets Bagel account may have been acquired by an unauthorized party. We would like to make sure you have the facts about what happened, what information was involved, and the steps we are taking to help protect you.
On February 11, 2019, we learned that an unauthorized party gained access to a partial list of user details. Once we became aware, we quickly took steps to determine the nature and scope of the problem.
What information was involved?
The affected information only includes your name and email address prior to May 2018. As a reminder, we never store any financial information or passwords.
What are we doing
We have taken steps to protect our community, including the following:
• We have engaged forensic security experts to conduct a review of our systems and infrastructure.
• Vendor and external systems are being audited and reviewed to ensure there are no compliance issues or third party breaches.
• We continue to monitor for suspicious activity and we are coordinating with law enforcement authorities regarding this incident.
• We continue to make enhancements to our systems to detect and prevent unauthorized access to user information.
What you can do
As always, we recommend you take extra caution against any unsolicited communications that ask you for personal data or refer you to a web page asking for personal data. We also recommend avoiding clicking on links or downloading attachments from suspicious emails.
The security of your information is important to us, and we apologize for any inconvenience this may have caused you. As always, if you have any questions or need any additional information, please do not hesitate to contact us.
Statement by Ms. Takahashi of Coffee Meets Bagel added.