UPDATE: This story has been updated with comments from Hzone CEO Justin Robert.
The Hzone app, a dating app for HIV-positive people, experienced a data leak in mid-December during what they called a "service optimization process," but the leak has since been plugged according to the app developers.
According to DataBreaches.net, a site that tracks information leaks across technology, apps, and websites, nearly 5,000 Hzone users were affected by the data leak. This included personal information such as birthdates, names, IP addresses, sexual orientation, credit card information (for premium accounts), and HV status. Personal messages and photographs were also fair game.
The leak left thousands of users exposed to potential identity theft or other consequences of having their private health information made public.
DataBreaches claimed that they notified Hzone's developers, and when they allegedly received no immediate response, filed complaints with the Federal Trade Commission (FTC) and Apple's iTunes Store.
The leak was first reported to DataBreaches on December 8 but the company maintains that the leak could have begun on November 29 or even earlier. Hzone denies that claim however.
"We have secured the database and our server, it is safe to use Hzone in the future," said Hzone CEO Justin Robert."We will take necessary measures to protect our users' personal information if there is a similar leaking in the future. And we also have developed a system to check if there is strangers accessing our server every 30 minutes. This makes sure we can take measures to prevent leaking in time."
Security experts were still critical about Hzone's response time. "Until the issue was finally fixed on December 13, some 5,027 accounts were fully available on the Internet to anyone who knew how to discover public-faced MongoDB installations," said Steve Ragan at CSO, an online publication about security and risk management.
Hzone's Robert did admit that the information had been hacked, stating, "Someone wrote to our server and changed some of our users' personal information by changing the profile content to 'This app is about users' database leaking, do not use it'."
Robert said the company knows who the hacker is and will take legal action against them.
CSO also documented exchanges between DataBreaches and Hzone regarding the data breach. In one exchange, Hzone's representative questions why DataBreaches would make the leak public and appears to threaten the inquirer with HIV infection.
"Why do you want to do this? What's your purpose? We are just a business for HIV people. If you want money from us, I believe you will be disappointed. And, I believe your illegal and stupid behavior will be notified by our HIV users and you and your concerns will be revenged by all of us. I suppose you and your family members don't want to get HIV from us? If you do, go ahead."
Robert said the statement was a "misunderstanding" and that one of Hzone's customer service representatives said this in hopes of preventing publicizing customer information. He also apologized for the misunderstanding.
In a press release on their site, Hzone issued an apology for the leak and reassured users that it had been plugged. They further reassured users that they are investigating anyone who has appeared to have hacked their database, calling it "condemnable."
"We firmly believe that any attempt to steal any sort of information is a despicable and immoral act, and reserve the right to sue the involved parties in all relevant courts of law," Hzone said. "Our IT team is working on documenting evidence relevant to all steps of the security breach attempt made by the hackers."
Hzone also claimed the leak was quickly identified and corrected, stating that their security worked for a week to fix the problem, a far shorter amount of time than DataBreaches alleges the leak lasted for.
"We are eager to leaving this untowardly incident behind us and pursue our goal of bringing the positivity of love and friendship to the lives of HIV positive individuals worldwide," Hzone said, calling on the "members of the HIV positive fraternity" to "be strong and keep the trust going."