At CyberNews, we recently discovered an unsecured database that contains more than 1 million private photos, most of them NSFW. The database appears to belong to the free Korean dating app 스윗톡, which may go by the name Sweet Tea, Sweet Talk or Sweet Chat. The database that we discovered was related to “sweetchat”.
This seems like a bit of deja vu here at CyberNews, seeing as we discovered another NSFW database in early November. In that case, though, nearly all of the images, video and audio were extremely private and explicit, and that database contained about 130,000 files.
This time, there are only images in this NSFW database, and we’d guess only half of them are explicit. Of course, with 1 million images in total, we can’t be certain of the true percentage. This is our best estimate from going through a small sample.
Unfortunately, we also identified what could be user IDs that connect these varying images together. With simple reverse-image searches, cybercriminals can identify and then blackmail these users. Recently, in Korea, 24-year-old Cho Ju-bin (조주빈) was sentenced to 40 years in prison for blackmailing women and minors into filming sexually explicit content. He would then sell these in various Telegram chat rooms from 2018-2020. The issue has sparked intense conversation in South Korea of a culture that is often seen as too lax on sexual violence and therefore failing these victims.
In general, the issue of private messaging of a sexual nature, or sexting, is an especially touchy subject in 2020 since most countries are under one form or another of restricted movement. With physical hookups limited, it’s understandable that people are moving to digital hookups. However, in light of the rise in covid-era sexting, it’s more important for database owners and app developers to make sure that all those private moments remain private.
We contacted the app maker via email, but have not received any response yet. Fortunately, Amazon was able to close off the unsecured bucket on December 23, 14 days after we first contacted them.
To see if your data has been exposed in a security breach, use our personal data leak checker.
Who owns the bucket?
We cannot state with 100% certainty that this bucket actually belongs to the app 스윗톡 (Sweet Talk). However, a short journey brought me to that conclusion. There are images in the database for the service SweetChat that lead to the website sweet.chat. That URL redirects to 스윗톡.com/session/signin (which is actually https://www.xn--9t4bk5fj5k.com/session/signin).
While sweet.chat is most likely owned by or connected to Sweet Talk, that still does not mean that this database belongs to sweet.chat.
Nonetheless, it is likely. 스윗톡 (Sweet Talk) has an Android app with at least 50,000 installs. Its developer is listed as 채팅만남 (which simply means ‘chat’) on Play, while the iOS version of the app is from a developer Sujin Han with a copyright for Kwon Young-hoon. On Play, its most recent review is dated December 1,2020, while the most recent iOS review came on November 24, 2020.
What data is included in the database?
The leaked database contains a total of 1,000,993 files, and almost all of them are image files. They are contained in two separate paths: ‘feed’ and ‘messages’.
The first path, ‘feed’, contained 113,944 images. From the sample we viewed, most of those images are tame. If ‘feed’ implies a similar newsfeed like Facebook, then those images are most likely public, or at least meant for a user’s circle of friends.
The other path, ‘messages’, contained 886,555 files, and those were much more explicit. Again, given the name of the path, these are likely private messages.
Under each ‘feed’ and ‘message’ path, there is another path – either ‘f’ or ‘m’: this is very likely male or female, since all images under ‘m’ contain men (if it contains a person) and all images under ‘f’ contain women (if it contains a person). There are 935982 ‘f’ pictures, and only 59691 ‘m’ pictures.
Another thing we noticed is that, while the database contains no personally identifiable (written) information, like names, usernames, emails or any other details, the images all seem to contain “user IDs.”
A standard image path could then be:
/messages/f/20201012/1234567_aL4Anum3.jpg
Which would give the pattern:
/messages/f/[date]/[user ID]_[random alphanumeric].jpg
This may be an insight into how many users are on the platform. According to its Google Play store listing, 스윗톡 (Sweet Talk) has been installed at least 50,000 times. However, the app is also available on iOS, and there’s little information on how many times it’s been installed for Apple users. It’s possible that the app is available on other platforms, such as Samsung’s or Huawei’s app stores, or others.
Looking at the file names, we might be able to come to a better conclusion. The apparent “user ID” I mentioned above seems to check out for a few users: the person in the images for the specific ID seems to be the same.
Further, the more recent the ‘modify’ date for the file, the bigger the ID is. Given that, we may be able to simply subtract the most recent user ID from the oldest one to understand how many people might have created a profile on that dating platform.
The most recent user ID is 1783627, for a file modified in October 2020. The earliest user ID is 44, for a file created in March 2016. However, 44 and 45 seem to be tester or admin accounts, and the earliest real profile, at least to my eyes, seems to be for a “user ID” 1113.
If you were to simply subtract that, you’d get:
1783627 – 1113 = 1782514
That’s right, more than 1.7 million. Is it possible that this platform has had 1.7 million users in the last four years? Not sure. There are some alternative reasons:
- These “user IDs” are not consecutive (i.e., the user after ‘45’ is not ‘46,’ but rather ‘91’)
- Users from multiple services are in the same database – developers often copy features from one app to another, so ‘message’ and ‘feed’ might be included in multiple apps, with all files stored in this database. Accounts may also not be deleted after accounts are deleted, leaving many “users” but few active users
- These aren’t user IDs – it’s possible, since I haven’t gone through all one million files, and the ones that I checked were just a coincidence
One interesting thing we found was when we looked through 스윗톡 (Sweet Talk)’s iOS app reviews. One user complained about a device ID issue. The developer then sent that user to SweetTalk.com, which is a free adults-only dating service.
SweetTalk.com is copyrighted by a company named Exontech Inc:
Exontech also owns a porn site dirtyxxxsex.com. However, there seems to be no other information about that particular company.
Besides the question of who owns Exontech Inc., there are other remaining questions:
- Who is Sujin Han, the app developer listed on Sweet Talk’s iOS app?
- Who is Kwon Young-hoon, which is the copyright holder listed on the iOS app?
- Who is 채팅만남, the app developer listed on Sweet Talk’s Android app?
We are still investigating these questions.
Do you have any further information about these individuals or companies behind or connected to Sweet Talk or sweet.chat? We’d love to hear from you. Please get in touch — send us a tip by clicking here or email us at [email protected]
What does this mean for Sweet Talk/Sweet Chat users?
If we assume that this unsecured bucket belongs to Sweet Talk/Sweet Chat, then that means that Sweet Talk users have had some of their most private and explicit images leaked online, accessible to anyone who has the link.
Unfortunately, accessing an unsecured Amazon S3 bucket is remarkably easy – and there are many people who know how to find these buckets.
There are some reasons while this leak may be worse than the previous explicit NSFW leak: in that leak, there wasn’t anything really identifying. Here, while there are also no names, emails or usernames, there are what appear to be user IDs. With this, for example, one can find one explicit picture of a body part, find all that user’s images, and link those explicit pictures to a person’s face. If these tame, non-NSFW images are also publicly shared on other platforms, like Facebook, then a reverse image search could identify the owner of these explicit pictures.
This is the type of blackmail related to Cho Ju-bin’s “Nth Room” extortion tactics.
Any user of Sweet Talk/Sweet Chat would certainly not want these details leaked to their family or friends, or anywhere online really. In those cases, they might be willing to adhere to an attacker’s demands.
However, the onus here rests firmly on the developers’ shoulders. This person, or group of people, betrayed the trust their users gave them when they signed up to those services in the first place.
What to do next
We tried to contact the app maker via the contact information listed on the Play store page. However, we have not heard back from them yet. We next reached out to Amazon on December 9 to attempt to secure the AWS bucket so that the public would not be able to access it anymore. Fortunately, Amazon was able to secure the bucket on December 23.
If you have used Sweet Talk/Sweet Chat, and have the app, we recommend you contact any admin for further information about the leak. If you are concerned about your images (both safe and NSFW) being potentially leaked, we’d recommend you remove your files from the platforms, if possible, and probably move off the platform until you are confident that the service is secure.
