If you've got an account on the wellness-themed dating service MeetMindful, better change your password and log out of Facebook.
That's because malicious data thieves have dumped the details of 2.3 million MeetMindful accounts into an online hacker forum where anyone can grab the 1.2GB database for free.
- Data breach at Bonobos hits 7 million customers: What to do
- The best password managers to keep your accounts safe
- Plus: Netflix just got a killer audio upgrade for Android users
The now-public user data includes real names, email addresses, street addresses, relationship status, gender, potential-partner preferences, and location by latitude and longitude, according to a ZDNet (opens in new tab) report.
"Birthdays" is also among the leaked fields, but it wasn't clear whether that includes the year of birth, or just the month and day, which would create less risk of identity theft.
Also leaked were Facebook IDs and session tokens, which let Facebook users stay logged in for a long time. The session tokens might let anyone with that information temporarily log into Facebook accounts, although account hijacking would not be possible without the actual Facebook passwords.
To make sure no one can get into your Facebook account using stolen session tokens, log out of Facebook on all your devices, then log back in.
Harshing our mellow
MeetMindful, which is apparently based in Denver, has been around since 2013. Gizmodo (opens in new tab) noticed that the dating service's Facebook, Twitter and Instagram accounts had not seen any new posts since April 2020, leading to speculation that the service might be in some sort of tech limbo. Likewise, the service's Android and iOS apps haven't been updated since the winter of 2020.
But MeetMindful was alive enough to post a security advisory, last updated yesterday (Jan. 24), about this data breach.
"We are deeply sorry that this has happened," the MeetMindful security post (opens in new tab) begins, emphasizing the "deeply."
"This incident applies to users who signed up for MeetMindful prior to March 2020. Users who started an account after March 2020, or have updated their account details since March 2020 have not been affected."
The good news: "No passwords, photos, conversations, matches, credit card data, or other financial information was accessed."
"We have reached out to all likely affected users," the MeetMindful post says. "If you have not received an email from us, directly, you are not affected by this incident."
Most passwords probably safe, but change them anyway
The stored MeetMindful account passwords were encrypted using Bcrypt, one of the strongest one-way-hash algorithms available. Nonetheless, you should change your MeetMindful password anyway, just to be sure. The service encourages all users to do that here (opens in new tab).
Make sure the password is long and strong, and don't reuse the password on any other account. If you used the same password elsewhere, change it on those accounts too, and make sure the new passwords are all unique. Using one of the best password managers will go a long way toward keeping your online accounts safe and secure.
The data was dumped by a malicious hacker or group of hackers called ShinyHunters — notorious for stealing and then publicizing user data from online services. This past Friday, ShinyHunters dumped data belonging to at least 7 million customers of U.S. menswear retailer Bonobos.