When it was discovered that Hzone, a dating application for HIV positive singles, was leaking the personal data of its users on the internet, one security researcher told the company that the story would be written about. Hzone responded by threatening to infect the security researcher with HIV.
Security researcher Chris Vickery realized that Hzone was leaking the personal data of its users on the internet. Anyone who bothered would be able to see the birth date, relationship status, religion, country, basic dating information, email address, IP addresses, password and messages of all Hzone users. The dating application currently has more than 5,000 users.
Vickery repeatedly tried to inform Hzone that personal data was being exposed, but he was met with silence. After becoming increasingly tired of the lack of a proper response, Vickery informed the representatives of Hzone that the story would be written about on his associated website. The response that he received from Hzone was quite shocking.
Hzone said in a reply, “Why do you want to do this? What’s your purpose? We are just a business for HIV people. If you want money from us, I believe you will be disappointed. And, I believe your illegal and stupid behavior will be notified by our HIV users and you and your concerns will be revenged by all of us. I suppose you and your family members don’t want to get HIV from us? If you do, go ahead.”
The admin of Vickery’s associated website, who is known as Dissent, said, “You get the occasional legal threats, and you get the ‘you’ll ruin my reputation and my whole life and my children will wind up on the street’ pleas, but threats of being infected with HIV? No, I’ve never seen that one before, and I’ve reported on other cases involving breaches of HIV patients’ info.”
Hzone eventually apologized for the threat, and they finally fixed their leaky database. However, the company also accused Vickery and Dissent of altering the data. The most likely explanation is that the company simply did not understand how to properly secure the personal information of their users.
Beyond data security issues, Hzone also has many other flawed practices. For instance, once a dating profile is created, it cannot be deleted. Thus, even inactive members will have the personal information exposed in the event of a future data leak. Additionally, Hzone admitted that it never informed its users about the exposing of their personal information.
Needless to say, this is one dating app that has no clue what it is doing.