Dating site Guardian Soulmates hacked, users hit with explicit spam

09 May 2017

Users of the UK dating site Guardian Soulmates have been targeted with sexually explicit spam emails after their contact information was accidentally exposed.

Information from users' profiles was included in the spam messages.

The Guardian newspaper's publisher Guardian News & Media, which runs the service, said "human error" was at fault. It blamed a third-party technology provider for the problem, which has now been fixed.

The BBC was contacted by one user who said they had started receiving sexually explicit spam emails sent to an account they only used with the dating service. Their Guardian Soulmates username appeared in the messages.

The person, who requested that they remain anonymous, said they first contacted Soulmates six months ago because they were concerned about what other data may have been taken.

"I basically had been receiving spam […] directly referencing information that could only have come from the Soulmates database," said another affected user, who also wished to remain anonymous.

"It's all information that I was happy to put online at one point anyway, but when it's used outside of context like that it does feel a lot more creepy."

The user told the BBC that they alerted Guardian Soulmates in November last year and received an email confirming what had happened in late April.

While the user - who works in IT - said they understood that incidents like this can occur, they were also surprised to be affected as they had not used the site for several years and were no longer paying a membership fee.

"I'm still pretty miffed that I'll probably forever receive spam from this," they added.

A spokeswoman for the site, which costs users up to £32 per month, added that while only email addresses and user IDs had been exposed directly, such information could be used "to find members' publicly available online profiles".

Details on public profiles, such as a photo, relationship preferences and physical description, could then potentially be accessed.

"We can confirm we have received 27 enquiries from our members which show evidence of their email addresses used for their Soulmates account having been exposed," the spokeswoman said, adding that there was no evidence that the data exposure had been caused by an outside party.

"Our ongoing investigations point to a human error by one of our third-party technology providers, which led to an exposure of an extract of data," she said.

Guardian News & Media had apologised to affected users and would "continue to review" its processes and third-party suppliers, she told the BBC.

The Information Commissioner's Office (ICO) has said it is "aware of a potential incident involving Guardian Soulmates and will be looking into the details".

"The law requires all organisations handling personal data to take appropriate measures to keep that information secure," a spokeswoman said.

"As the regulator, it's our job to act on behalf of the UK public to see whether that's happened."

Data made available by the exposure could have been used in a variety of ways by scammers, Prof Alan Woodward, a cyber-security expert at the University of Surrey, told the BBC.

He pointed out that Guardian Soulmates was the latest in a long line of incidents where users' personal data has been made public either accidentally or following cyber-attacks.

"It's almost depressing really that it keeps happening - particularly on something like a dating site, which I think most people would consider to be a bit more sensitive," he said.

"When we start using an online service of any nature, we put our trust in people to protect our information."