2.3 million hit by dating site data breach: What to do

A screen grab of the splash image on the MeetMindful Android app page on Google Play, showing an attractive smiling woman.
(Image credit: MeetMindful/Google)

If you've got an account on the wellness-themed dating service MeetMindful, better change your password and log out of Facebook.

That's because malicious data thieves have dumped the details of 2.3 million MeetMindful accounts into an online hacker forum where anyone can grab the 1.2GB database for free.

The now-public user data includes real names, email addresses, street addresses, relationship status, gender, potential-partner preferences, and location by latitude and longitude, according to a ZDNet report.

"Birthdays" is also among the leaked fields, but it wasn't clear whether that includes the year of birth, or just the month and day, which would create less risk of identity theft.

Also leaked were Facebook IDs and session tokens, which let Facebook users stay logged in for a long time. The session tokens might let anyone with that information temporarily log into Facebook accounts, although account hijacking would not be possible without the actual Facebook passwords. 

To make sure no one can get into your Facebook account using stolen session tokens, log out of Facebook on all your devices, then log back in.

Harshing our mellow

MeetMindful, which is apparently based in Denver, has been around since 2013. Gizmodo noticed that the dating service's Facebook, Twitter and Instagram accounts had not seen any new posts since April 2020, leading to speculation that the service might be in some sort of tech limbo. Likewise, the service's Android and iOS apps haven't been updated since the winter of 2020.

But MeetMindful was alive enough to post a security advisory, last updated yesterday (Jan. 24), about this data breach. 

"We are deeply sorry that this has happened," the MeetMindful security post begins, emphasizing the "deeply." 

"This incident applies to users who signed up for MeetMindful prior to March 2020. Users who started an account after March 2020, or have updated their account details since March 2020 have not been affected."

The good news: "No passwords, photos, conversations, matches, credit card data, or other financial information was accessed."

"We have reached out to all likely affected users," the MeetMindful post says. "If you have not received an email from us, directly, you are not affected by this incident."

Most passwords probably safe, but change them anyway

The stored MeetMindful account passwords were encrypted using Bcrypt, one of the strongest one-way-hash algorithms available. Nonetheless, you should change your MeetMindful password anyway, just to be sure. The service encourages all users to do that here.

Make sure the password is long and strong, and don't reuse the password on any other account. If you used the same password elsewhere, change it on those accounts too, and make sure the new passwords are all unique. Using one of the best password managers will go a long way toward keeping your online accounts safe and secure.

The data was dumped by a malicious hacker or group of hackers called ShinyHunters — notorious for stealing and then publicizing user data from online services. This past Friday, ShinyHunters dumped data belonging to at least 7 million customers of U.S. menswear retailer Bonobos.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.