Online daters at Guardian Soulmates targeted with sexually explicit spam after data left exposed

“Human error” to blame for data spill.

Online daters at Guardian Soulmates targeted with sexually explicit spam after data left exposed

Looking on love online can get you into all sorts of unpleasant pickles, but you probably like to imagine that the dating site you’re using is doing a decent job of hiding your private details from wrong ‘uns.

Sadly, that’s not the story at Guardian Soulmates, run by The Guardian, which offers the perfect place for the left-leaning urban intellectual to meet the quinoa quiche-eating, open-toed sandal-wearing partner of their dreams.

As BBC News reports, some Guardian Soulmates users have been receiving unsolicited sexually explicit emails that could curdle the liberals’ lattes with their saucy language.

Sign up to our free newsletter.
Security news, advice, and tips.

In short, somehow a spammer has managed to get their hands on the usernames and email addresses of some Guardian Soulmates users. Those details could then be used to access members’ public profiles, and discover their relationship preferences, physical description and carefully-selected photograph.

The information could potentially be used by a scammer, perhaps by contacting the user via their email address and tricking them into handing over further information.

It appears that one of Guardian Soulmates’ users blew the whistle on the breach, having been contacted at an email address they only used for the site with a message which referred to their username.

Past security breaches at sites like Ashley Madison, Adult Friend Finder and BeautifulPeople have rung alarm bells about the risks of ‘dating’ site data breaches.

(Of course, Guardian Soulmates isn’t directly comparable to the rather seedy sites listed above, but the dangers of a data breach remain.)

Fortunately, it appears so far that few Guardian Soulmates users have reported the offending messages, and there don’t appear to have been more malicious attempts to exploit the leaked information, suggesting little reason to panic.

That’s an opinion shared by Ilia Kolochenko, CEO of web security firm High-Tech Bridge:

“So far, I don’t see many reasons for panic – the number of confirmed spam emails is very insignificant compared to the entire Soulmates database. Therefore, we can reasonably suppose that only a small amount of data was breached or leaked. Moreover, the spam campaign is apparently classic spam ads, and not a sophisticated targeted attack against website users. It’s difficult to make any conclusions without additional technical details about the incident, but the data can even come from public sources – many users of dating websites (un)intentionally expose their profile with their email on social networks for example.”

Nonetheless, it certainly wouldn’t do any harm to remain vigilant if you are a Guardian Soulmates user and be cautious of unsolicited messages that you might receive. You may also, if you are concerned, change your password – and ensure that you are not using the same password anywhere else on the internet.

In a statement shared with the press, Guardian News & Media apologised and blamed the data leak on a goof by one of an unnamed third-party technology provider:

We can confirm we have received 27 enquiries from our members which show evidence of their email addresses used for their Soulmates account having been exposed.

We take matters of data security extremely seriously and have conducted thorough audits of all our internal systems and are confident that no outside party breached any of these systems. Our ongoing investigations point to a human error by one of our third party technology providers, which led to an exposure of an extract of data. This extract contained only members’ email addresses and user ID which can be used to find members’ publicly available online profiles.

We have taken appropriate measures to ensure this does not happen again, and we continue to review our processes and third party suppliers.

Concerned users are asked to contact [email protected]. UK data watchdog the Information Commissioner’s Office (ICO) is said to be aware of the incident, and “will be looking into the details”.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.