HIV Dating App Company Threatens Press With HIV Infection For Reporting On Personal Info Leak

from the high-five dept

Wed, Dec 16th 2015 12:52pm — Timothy Geigner

It's not uncommon to see threats towards the press occur when someone has been embarrassed. Whether it's an idiotic presidential campaign mad over a rape allegation or an attorney general pissed off at reporters who are attempting to, you know, report, these things happen. Perhaps even more common are threats against the press when they report on security exploits, such as when Sony demanded the end of the publication of documents the press got after one of the many, many times Sony has been hacked.

But I've never seen a company threaten to infect a member of the press with HIV before. This strange tale starts with an app called Hzone, which is a dating application for singles that are HIV positive. And, hey, why not? The HIV-infected need love, too. But running a site like that would seem to come with a particularly dire need for security, which should not result in the user database for the app being publicly exposed to the internet, as it was a few weeks ago.

Today's story is strange, but true. It's brought to you by DataBreaches.net and security researcher Chris Vickery. Vickery discovered that the Hzone application was leaking user data, and properly disclosed the security issue to the company. However, those initial disclosures were met with silence, so Vickery enlisted the help of DataBreaches.net.

So, as too often seems to happen with these cases, a researcher found a security flaw and brought it to the company's attention, only to be completely ignored. Then the researcher goes to a press outlet, DataBreaches.net in this case. Even as Vickery continued to let the company know about the leak, the database remained exposed. And this is a database, I feel compelled to remind you, filled with the personal information of HIV infected persons. The issue wasn't fixed until mid-December, some three weeks or more since the issue was initially reported. At about that same time, DataBreaches informed Hzone that it would be reporting on the leak.

And that's when this tale takes a strange and disgusting turn.

Finally, when DataBreaches.net informed Hzone that the details of the security issues would be written about, the company responded by threatening the website's admin (Dissent) with infection.

"Why do you want to do this? What's your purpose? We are just a business for HIV people. If you want money from us, I believe you will be disappointed. And, I believe your illegal and stupid behavior will be notified by our HIV users and you and your concerns will be revenged by all of us. I suppose you and your family members don't want to get HIV from us? If you do, go ahead."

Ah, the old "We'll just infect you and your family with HIV, haha!" tactic to silence reporters. This is a company that, again, caters directly to the community of the HIV infected, exposed that community's personal information, and then used HIV infection as a cheap threat on a reporter simply for reporting on the leak. Why would anyone want anything to do with these people any longer? And, while barely apologizing, Hzone appears to be more interested in doing CYA than true security.

Hzone later apologized for the threat, but it still took them some time to fix their flawed database. The company accused DataBreaches.net and Vickery of altering data, which led to speculation that the company didn't fully understand how to secure user information. An example of this is one email where the company states that only a single IP address accessed the exposed information, which is false considering Vickery used multiple computers and IP addresses.

On top of that, Hzone responded to a question by DataBreaches as to whether or not the company bothered to inform its users that their personal information had been compromised.

"No, we didn't notify them. If you will not publish them out, nobody else would do that, right? And I believe you will not publish them out, right?"

Oops.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: apps, hiv, leaks, press

25 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

wereisjessicahyde (profile), 16 Dec 2015 @ 1:06pm

Seems a bit harsh.
Couldn't they just give them the Flu for a first offence?
[ link to this | view in chronology ]
Anonymous Coward, 16 Dec 2015 @ 1:08pm

Childish threats are just that, but this sort of pervasive 'non-notification' mentality within the HIV community is a bit scary.
[ link to this | view in chronology ]
Max (profile), 16 Dec 2015 @ 1:13pm

In completely unrelated news, the good ole' "just kill the #$@%#$^%ing messenger" mentality is still alive and well...
[ link to this | view in chronology ]
Mason Wheeler (profile), 16 Dec 2015 @ 1:14pm

I wonder if these guys are aware that it is specifically a felony to knowingly infect someone with the HIV virus. (They really should, being specialists in HIV-related issues and all.)

Isn't threatening to commit a felony against someone a pretty serious crime in and of itself?
[ link to this | view in chronology ]
- Machin Shin (profile), 16 Dec 2015 @ 1:19pm
  
  Re:
  Well if you really think about it. They threatened a biological attack against the publisher. They are just lucky their name doesn't sound Muslim or they would be charged as terrorist and locked away. Well, they might just skip the whole "charged" thing and skip straight to locking them up.
  [ link to this | view in chronology ]
  - Anonymous Coward, 16 Dec 2015 @ 1:37pm
    
    Re: Re:
    this is because the hiv crowd has already been through the gamut and has effectively shut down the debate and become a protected class compared to muslims.
    [ link to this | view in chronology ]
    - Anonymous Coward, 16 Dec 2015 @ 1:42pm
      
      Re: Re: Re:
      this is because the hiv crowd has already been through the gamut and has effectively shut down the debate and become a protected class compared to muslims.
      
      Actually muslims are also a protected class in many circles - they even have their own "phobia" word to prove it.
      [ link to this | view in chronology ]
    - Pronounce (profile), 16 Dec 2015 @ 2:17pm
      
      Re: Re: Re:
      Right, a coworker of mine was fired for letting a foster care family know that a child was HIV positive.
      [ link to this | view in chronology ]
sehlat (profile), 16 Dec 2015 @ 1:19pm

Whiskey Tango Foxtrot?
"No, we didn't notify them. If you will not publish them out, nobody else would do that, right? And I believe you will not publish them out, right?"
That sounds a lot like the advocates of encryption backdoors who claim only the good guys will use them?
[ link to this | view in chronology ]
- Machin Shin (profile), 16 Dec 2015 @ 1:24pm
  
  Re: Whiskey Tango Foxtrot?
  Yeah, I found that really strange. Seems like they are saying, "Hey, your a nice guy and didn't publish those so all hackers must be swell guys. You didn't publish it so no one else will"
  [ link to this | view in chronology ]
AricTheRed (profile), 16 Dec 2015 @ 2:10pm

Technology!
Ah, the old "We'll just infect you and your family with HIV, haha!" tactic to increase the user base and boost that IPO price of your tech startup!
[ link to this | view in chronology ]
- AricTheRed (profile), 16 Dec 2015 @ 2:11pm
  
  Re: Technology!
  By the way, who are these folks backed by? Martin Shkreli?
  [ link to this | view in chronology ]
- Anonymous Coward, 16 Dec 2015 @ 3:29pm
  
  Re: Technology!
  The best viral marketing campaign is going viral, after all.
  [ link to this | view in chronology ]
Coyne Tibbets (profile), 16 Dec 2015 @ 2:23pm

Horse's head
"You some kinda wise guy? If you talk about our leak, we gonna put a horse's head in your bed."
[ link to this | view in chronology ]
Mark Wing, 16 Dec 2015 @ 2:35pm

More virulent than an SQL injection attack, the HIV injection attack infects both web sites and people.
[ link to this | view in chronology ]
That Anonymous Coward (profile), 16 Dec 2015 @ 2:47pm

These idiots have no business being in control of peoples data.

I applaud them for building a dating app for people who serosort, but their disregard and willingness to lie to protect the image over the customers is appalling.

I was also annoyed to learn that apparently if you sign up, you can never get your profile removed even if you quit. Holding on the data like that makes one wonder who else they are providing the data to (and what other things they can scrape via the app).

Things like this are why there needs to be mandatory reporting of leaks/breaches with hefty fines for trying to cover it up.
[ link to this | view in chronology ]
Anonymous Coward, 16 Dec 2015 @ 2:57pm

What the fuck?
[ link to this | view in chronology ]
Anonymous Coward, 16 Dec 2015 @ 11:30pm

So basically, "If you don't support our lifestyles over yours, we will fuck you up, literally".

Par for the course.
[ link to this | view in chronology ]
- That Anonymous Coward (profile), 17 Dec 2015 @ 4:31am
  
  Re:
  So basically, "I can't be bothered to read the article and I will spout off with stupid comments."
  
  This has NOTHING to do with a lifestyle you simpleton fuck.
  
  Because it was an app that was used by those who have HIV, there have been just AWESOME comments focusing on the HIV and not the fact that these fuckwits could have built an app for any group and fucked it up the same way.
  
  From the really openminded comments here one is so very fucking shocked that they might have needed a dating app where a question of someones status wasn't the elephant in the room. I very much enjoyed the openminded idiot who wanted to turn some app running asshats unwillingness to admit they leaked the data into a commentary on how those with HIV never want to disclose their status.
  
  But then one has to remember their are assholes in everything, and keeping the stereotype going to paint everyone with a disease as being evil people out to secretly infect people surely doesn't make these peoples lives harder. Of course by the same token I guess because we all use computers we all DL CP, because some fuckwit did it so everyone must be the same.
  
  Pity it wasn't an app for survivors of sexual abuse so someone could have made comments about how they were asking for it & you know they put out if you give them some candy.
  
  Can't see how these openminded responses would make it that much more worrying that identifying information of these people is out there in the wild, even the small sample here shows how accepted people dealing with this disease are in the world.
  [ link to this | view in chronology ]
Anonymous Coward, 17 Dec 2015 @ 5:14am

That Anonymous Coward, you mad bro?
Wow, by far you have the record for using the work 'fuckwit' and 'openminded' in a post. I only saw one, maybe two posts that fall into the HIVphobia you are referring to. Most of them are crude attempts at humor and some are actually funny. The largest percentage of comments dealt with the data breach. The funniest thing you said was:

"keeping the stereotype going to paint everyone with a disease as being evil people out to secretly infect people surely doesn't make these peoples lives harder."

If the operators of the site (which I assume is also HIV positive) says that he and [sic] the app user base will infect the report and his family with HIV, then that is not a stereo type nor is it a secret. I this case it seems as if the stereo type is being created by the people with the disease and that they are making their own lives harder.

My opinion on the matter sides with the data breach and regardless of the status of the members of the site, the company is/was irresponsible.
[ link to this | view in chronology ]
- Anonymous Coward, 18 Dec 2015 @ 1:10am
  
  Re: That Anonymous Coward, you mad bro?
  It's funny - they can live as dangerously and recklessly as they please, and insist that nobody else judge them by stereotypes. Of course, the moment they start calling straights "breeders" and other loaded derogatory terms, nobody speaks up about it. Because it's "homophobic" or "breeders" have had it too good for too long or something. If a dude doesn't like having a dick up his ass it's because he's "close-minded" for knocking it before he's tried it. Give me a fucking break.
  [ link to this | view in chronology ]
  - Wendy Cockcroft, 18 Dec 2015 @ 6:00am
    
    Re: Re: That Anonymous Coward, you mad bro?
    You know straight people can get HIV too, don't you? Blood transfusions were a vector back in the Eighties, or having sex with one's husband or boyfriend not knowing he was infected...
    
    ...a massive problem in Africa at the moment, which religious zealots are making worse by banning condoms, etc.
    
    Babies born to HIV-positive mothers can get it.
    
    The trouble with being narrow-minded is it's hard to see the big picture. If you're going to bash "teh gayz," admit it's because you think it's yuck, don't go hiding behind excuses, it gets in the way of sorting out the mess that results of people trying to live with HIV while surrounded by judgemental prats who insist it's their own fault.
    [ link to this | view in chronology ]
  - That Anonymous Coward (profile), 18 Dec 2015 @ 12:59pm
    
    Re: Re: That Anonymous Coward, you mad bro?
    I enjoy your assumption that the entire user base is gay, did you not find their website to see the typical boy girl pairing shown in the screenshots?
    
    Breeder is only offensive if you give it the power to offend you. I know straight people I call my favorite breeders, I guess maybe its like how its okay for a black person to call someone their N but not always cool for their white freind to say it to them.
    
    So from your comments, your either a troll trying to bait me or someone who is having issues questioning your sexuality because someone expressed an interest in you and you rebuffed them so they lashed out because their feelings were hurt.
    Does it make you feel less adequate that they were no longer as interested in you once you rebuffed them?
    
    Does it make you feel better to think that all gay men want you and can't have you? Perhaps overreacting in this way to think that it is all gay people should be a warning sign to you that the old adage could be true... methinks she doth protest to much.
    
    There are lots of people in the world who have HIV through no fault of their own, like the girls who have been raped in some cultures because someone told them sleeping with a virgin would cure them. Those girls didn't live dangerously or recklessly.
    
    The fact that it is easier to date someone in the same boat than to face amazing openmindedness like yours should be crystal clear. You think everyone who has the disease is just another "bad person" who deserved it because some asshole hit on you and you decided to make them the poster child for all teh gays.
    
    While you are most likely pretty, I'm guessing because someone invested the time in trying to bed you, I'm pretty sure that fell to the wayside the more you spoke.
    
    Stop being such a closed-minded breeder.
    [ link to this | view in chronology ]
- That Anonymous Coward (profile), 18 Dec 2015 @ 12:42pm
  
  Re: That Anonymous Coward, you mad bro?
  You should check my post history, I have some epic expletive laden responses to things. This one was fairly tame for how pissed I was.
  
  The fact that there were any HIVphobic posts upset me. I was also upset by the dumbass who made the stupid threat, because my gift is foresight and I can see how that will be run with.
  
  One jackass made the statement, he tried to include the user base in his threats and you're more than willing to look at them being complicit in what he did without their consent or knowledge. We have this amazing ability to hold entire sections of the population responsible for the actions of 1 dumbass. And I suppose that if the user base wanted to be treated differently they should prepare their own statements and have a huge event decrying the words of 1 idiot... how many events did you attend the last time someone of your race/religion/etc did something stupid so that you wouldn't be lumped in with the "bad ones"?
  
  Amazingly I might be in several groups (I am my own Venn Diagram) who are expected to decry the actions of individuals so I don't get lumped in with the "bad ones" and I take offense to the simplistic - idiot said this so everyone in group X is the same way thinking. I have enough people I offend on my own, I don't need to carry the burdens of others as well.
  [ link to this | view in chronology ]
Cranky, 17 Dec 2015 @ 12:02pm

No rocket scientists here!
The response from the company makes it sound like they're only vaguely acquainted with such advanced technical concepts as verbal communication. It is sufficient to convince me that they would not have any competence whatsoever at infosec. Of course I never expect infosec competence from any "app" company anyway; it's simply not a part of their general business model.

On the subject of available cluehammers, might this app intrude into HIPAA territory? I would guess not, because of all the loopholes built into HIPAA, but then I gave up trying to figure it out at about page eleventeen-squillion.

@Pronounce:

Does the company you work for truly believe that foster families DON'T have the right to know that a child who has been placed with them is HIV+? That seems downright sociopathic.
[ link to this | view in chronology ]