Forces Penpals dating / social networking service for military servicemembers leaks user data
Learn More
Forces Penpals, a social media and dating site focused on military servicemembers is reported that it's leaking data of it's users. The leak is discovered by cybersecurity researcher Jeremiah Fowler, who reported the findings to vpnMentor.
Forces Penpals, established in 2002, has evolved from its original mission of connecting UK citizens with soldiers serving in Iraq or Afghanistan to become a full blown social networking platform that boasts over 290,000 military and civilian users across its website, forum, and mobile applications available on both iOS and Android platforms.
The breach is caused by an unprotected database containing over 1.1 million records (specifically 1,187,296 documents) from the military-focused dating and social networking service. The exposed database lacked both password protection and encryption, leaving sensitive user information openly accessible. Exposed data includes:
- User images
- Proof of service documents
- Full names (first, middle, last)
- Mailing addresses
- Social Security Numbers (US)
- National Insurance Numbers (UK)
- Service Numbers (UK)
- Military rank
- Branch of service
- Service dates
- Military locations
- Other sensitive military-related information
The number of exposed individuals is not disclosed.
After receiving the responsible disclosure from Fowler, Forces Penpals attributted the exposure to a coding error that misdirected documents to an incorrect bucket while leaving directory listing enabled. They closed access to the bucket within one day of the report.
The exact duration of the database's exposure remains unknown, and only an internal forensic audit could determine if any unauthorized access occurred during the exposure period. The timing of the leak is concerning given recent reports from October 2024 about Russian intelligence-linked hacking attempts targeting Western military and intelligence personnel.
