PlanetDrugsDirect, a Canadian online pharmacy, has been breached, and its customers' data are very much in the wind. An unknown number of customers received an email which according to BleepingComputer reads in part: "Our investigation to date indicates that your exposed data may include your name, address, e-mail address, phone number, medical information including prescription(s), and payment information. At this moment, there is no evidence to suggest passwords for online account access has been compromised.... We assure you that we are working diligently to complete the investigation and to rectify the situation." PlanetDrugsDirect's standing statement on privacy and security may be found on their site, but the site has as of this afternoon no mention of the breach.
More than seventy-thousand photos, almost all of them of women, have been scraped from Tinder and placed in an online criminal forum, Gizmodo reports. The pictures were accompanied by a text file with about sixteen-thousand user credentials thought to be associated the pictures. “Given the context of this being a dating app, there are photos a person may not necessarily want presented to the public," Aaron DeVera of the cybersecurity firm White Ops told Gizmodo, and given current courtship usages, one can only agree. "Further," DeVera added, "not only is it sorted by userID, but it is also sorted by whether or not there is a face in the picture. This might indicate that someone is intending to use the Tinder profiles to train biometric software, possibly a face recognition system." That's happened before. In 2017 a researcher at Kaggle, a Google machine learning and data science subsidiary, scraped forty-thousand selfies from Tinder for the purposes of training facial recognition AI. TechCrunch reported at the time that Tinder considered this a violation of its terms and conditions, but evidently the dating service hasn't fully closed such access to its users' data.
In any case, training AI, while doubtless creepy enough, is probably the best of a bunch of bad possible outcomes. The photos could be used for catphishing at scale, for identity theft, and even as a mode of fraudulent authentication of data ownership under privacy laws, as we saw yesterday in a New York Times investigation.
As we also noted recently, Tinder is one of the popular apps mentioned in dispatches by Norway's Consumer Council, which has found widespread oversharing of users' personal information with advertising platforms. "The advertising industry is systematically breaking the law," as the Council's announcement put it. Naked Security has a convenient summary of the findings.