On Thursday, online dating site and app Coffee Meets Bagel informed users of a data breach affecting the company and laid out the actions they were taking to mitigate the issue, according to BuzzFeed News. The breach was originally reported on by the Register on Feb 11.; after Coffee Meets Bagel learned of the breach, they “quickly took steps to determine the nature and scope of the problem,” they wrote in their email notification to affected users, which the company provided to Bustle. Only emails and names were included in the breach; according to the company, no other user information was compromised. (Coffee Meets Bagel does not store financial information or passwords.)
The irony of the notification arriving on Valentine’s Day has not escaped anyone — neither those on the receiving end, nor those who sent it. “With online dating, people need to feel safe. If they don't feel safe, they won't share themselves authentically or make meaningful connections,” Coffee Meets Bagel said in a statement provided to Bustle. “We take that responsibility seriously, so we informed our community as soon as possible — regardless of what calendar date it fell on — about what happened and what we are doing about it.”
The issue is not limited to Coffee Meets Bagel; according to the Register, as many as 620 million accounts across 16 companies and websites have been compromised as part of a much larger breach.
According to the email Coffee Meets Bagel sent to potentially affected users, the company learned on Feb. 11 that “an unauthorized party gained access to a partial list of user details” in May of 2018. This “partial list” included names and emails, but no other user information. Because the company does not store any financial information, like credit card numbers or banking information, or passwords, these sensitive details were not compromised in the breach.
Coffee Meets Bagel has taken a variety of steps to lock down user details and ensure safety going forward, states the email. These steps include calling in “forensic security experts to conduct a review of our systems and infrastructure,” auditing and reviewing “vendor and external systems… to ensure here are no compliance issues or third-party breaches,” and beefing up the company’s systems in order to both “detect and prevent unauthorized access to user information.” They are also continuing to “monitor for suspicious activity,” as well as working with law enforcement.
“The security of your information is important to us, and we apologize for any inconvenience this may have caused you,” wrote the company in the email. “As always, if you have any questions or need any additional information, please do not hesitate to contact us.”
According to the Register, the data of the 16 companies affected by the larger breach was stolen at various points throughout 2017 and 2018, although in once instance, the data may have been taken as early as 2016. Six of the companies have not confirmed an investigation or a breach; the remaining 10 have launched investigations and/or confirmed they were affected, notified users, and taken steps to enhance security, such as resetting user passwords and auditing and reviewing various systems.
To protect your personal data, cyber security experts changing your passwords frequently, making sure those passwords are strong, never using the same password for more than one site, being mindful of what you do and don’t share on social media, and watching what you click on — especially if it’s in an unsolicited email.