in

Group Sex App Leak Tied to White House and Supreme Court

white house building

Users of the group sex application 3Fun were exposed recently in a way they never intended, as the entire user base fell victim to a data breach. In all, more than 1.5 million users learned their personal data was exposed due to a design flaw in the app. Unfortunately for these users, the privacy they counted on was an illusion.

What is 3Fun?

3Fun is a mobile app that holds itself out as a “private space” for kinky, open-minded adults to engage in group sex. The app is available worldwide, boasting more than 1.5 million users at the time the app’s vulnerabilities were discovered.

Here’s how the app works:

* A user registers an account and uploads a photo used to verify their identity.
* Users are then recommended profiles for potential hookups based on matching preferences.
* Users have the ability to “like” the other users the app matches them with.
* When two users like each other, the app puts the two in contact with one another.

In what can only be seen as a warning sign, the app makes vague promises about protecting a user’s privacy. According to its website, 3Fun only promises to make its best effort to ensure private information that is submitted through the app would remain private.

How Popular are Group Sex Apps?

As previously mentioned, 1.5 unique users were enrolled in the app at the time the vulnerability was discovered. Of those, more than 800,000 had verified their account by uploading personal photos. The app is available in multiple countries, and the cities with the most users include:

1. New York City
2. Los Angeles
3. Chicago
4. Houston
5. Phoenix
6. San Antonio
7. San Diego
8. Philadelphia
9. Dallas
10. San Jose
11. San Francisco
12. Las Vegas
13. Washington, D.C.

The Severity of the Vulnerability

In August of 2019, Pen Test Partners published a scathing report into security risks within the 3Fun app. From their research, they determined that poor app design made the personal information of their users easily available to those who were somewhat tech-savvy. The data that was exposed includes:

* The real-time location of the user
* A user’s birthday, sexual preference, and other identifying information
* Private photos

During their investigation, Pen Test Partners discovered that 3Fun stored the private information of each user in the app as opposed to in their private servers. This vulnerability allows savvy users to access the private information each user stored in the app.

One of the most concerning parts of the vulnerability is access to the user’s location. With little trouble, it is possible to obtain the exact latitude and longitude of a user. What’s more, the location of the user can be matched with the user’s profile. This makes it trivially easy to connect a user’s personal information and photo with their exact location.

Exposed Data in Seats of Power

The leak of users’ location led to some surprising discoveries. There were numerous users that were purportedly located within the seats of power in the United States and the United Kingdom. According to the map data provided by Pen Test Partners, there were active users within the White House, the Supreme Court, and London’s Number 10 Downing Street.

supreme court building

Upon discovering the vulnerabilities, Pen Test Partners contacted 3Fun to request they fix these vulnerabilities. It is worth noting that it is possible to fake location data. In other words, Pen Test Partners could not say with certainty that the users that appeared to be inside the Supreme Court or the White House could have simply “spoofed” their location.

Other Notable Dating App Data Breaches

3Fun is not the first dating or relationship application to suffer from a data breach. In fact, it is part of a concerning trend regarding these apps. These breaches have led to a discussion regarding the amount of private data we store dating apps. Other notable breaches include:

**JCrush: **JCrush is a dating app for Jewish singles. In June of 2019, a lapse in security left a database used to store private user data without a password. This allowed anyone that knew how to find the server access to sensitive user data including the text of private messages. In total, more than 200,000 users had their private data compromised. These records were not encrypted, and also included the uses name, gender, e-mail address, sexual preference, and location.

**Donald Daters:** A dating app for conservative voters named after President Donald Trump incurred a database leak within hours of going live. The breach resulted in all 1,600 users having their data exposed. The app had a number of security issues that made downloading the entire user database simple. The data breach included users’ names, pictures, and private messages. In response, the app maker disabled the chat function and pulled down the database of user information until the security breaches could be addressed.

**Rela:** The most popular dating app for lesbian women in China. Altogether, more than 5 million users had their intimate details exposed. Much like the JCrush breach, the owers of Rela mistakenly left the server that contained private user data without a password. In March 2019, the owners quickly pulled the app from app stores in order to rectify the issue. It is estimated that the database remained unprotected from June of 2018 until March of 2019. Shortly after the breach was announced, the app maker assured users the issue had been fixed.

How to Discover if You Are a Victim of a Data Breach

Data breaches come in various forms. If you are concerned that your e-mail has been compromised through a hack or data breach, take advantage of the free hacking checker at CheckThem. In a matter of seconds, CheckThem can inform you if your e-mail address has turned up in records found on the dark web. You can take control of your security online, but only if you take the necessary steps to determine if your information has been compromised.