The anti-vaccine dating website “Unjected,” known for previously allowing its users to advertise their “mRNA free” blood and semen, left its users’ private data vulnerable for a second time.
The issue, discovered by the security researcher known online as GeopJr, affects 35,509 accounts and exposes everything from full names and birthdates to email addresses and location data.
Authentication issues on the site also allowed GeopJr to not only alter users’ profiles, such as changing their profile pictures, but read direct messages made by the site’s users and staff.
Unjected, which bills itself as the “largest unvaccinated platform” on the internet, launched in May 2021 and quickly made headlines after its app was removed from the Apple Store for violating its COVID-19 misinformation policies.
Despite the setback, the site continued to grow and add new features, such as the now-defunct “mRNA FREE blood match & fertility directories” where users could offer up their so-called untainted blood, sperm, or eggs to members of the site.
In July 2022, the Daily Dot exclusively revealed, thanks to the research of GeopJr, that Unjected’s administrator dashboard was openly accessible. The security lapse allowed GeopJr to, among other things, add, edit, or deactivate pages on the site and user accounts.
Unjected’s co-founder Shelby Thomson declined to answer emails from the Daily Dot at the time while apparent attempts were made to fix the site, which resulted in the domain being repeatedly taken offline. After a flood of complaints from users over the data exposure, glitches, and outages, the site returned. And while the major issues were fixed, many bugs remained.
GeopJr reached out to the Daily Dot this month to note that they opted to check the site again, nearly two years after discovering the initial issues, and stated that Unjected was “still as insecure as ever.”
“Unjected has once again failed to take the necessary security precautions, putting thousands of users at risk,” GeopJr said.
Unjected acknowledged an email from the Daily Dot last week pointing out the security issues but failed to fix them. Although it appears attempts were made to patch the leak, GeopJr said, that effort actually resulted in more issues on the site, including the ability to deactivate anyone’s account without authentication.
Given Unjected’s failure to secure its users’ data, the Daily Dot is declining to detail exactly how the vulnerabilities were discovered. The issues, however, allowed GeopJr to obtain information from profiles that should not be publicly accessible. Similarly, GeopJr discovered another authentication issue that allowed them to access all direct messages on the site.
Examination by the Daily Dot of the site’s 8,323 private conversations, which range from July 2023 to March 2024, even shows weary users questioning Unjected’s security.
In one direct message to an Unjected administration on Jan. 10, a user said: “Thanks for helping to build this website, hope you have great protections of all the unjected’s privacy.”
In another message sent on Dec. 13, 2023, a foreign user also expressed fear that the site’s data could be obtained by the U.S. government and handed over to theirs.
“I am pretty concerned about this platform that collects data of unjabbed people: the US government could easily hack it and get written evidences of all those who refuse to align themselves to Biden’s administration…,” the user wrote. “I am really concerned… I am not sure I will remain here… will have to check how their cybersecurity system works and support its clients.”
On Feb. 9 of this year, another user complained that the site was “shady” and “difficult to use,” arguing that they rarely logged in over fears of a hack.
“The messaging part isn’t developed too well either, it seems to crash on me whenever I try to use it, and overall just feels like a shady site!” they wrote. “I’m waiting for it to be hacked for the list of unvaccinated folks!”
Other private data includes longitude and latitude coordinates for users who either provided their city and state to the site or those who opted to allow their browser to determine a more exact location.
In a statement to the Daily Dot, Unjected appeared to falsely suggest that this reporter had somehow hacked the site.
“At Unjected, we know that we are on all of the government watch lists. Thank you for helping make Unjected the safest place to be for unvaccinated people,” it said. “We suggest that you now use your hacking skills for good and do something to thwart the New World Order rather than messing with organizations that are fighting for Team Humanity. Someday this will all make sense to you.”
Unjected also alleged that it had created a promo code bearing this reporter’s name before urging the public to “Stay Natural, Stay Free, Stay Unjected.”
“Whenever you’re ready to get off Tinder or Bumble and find a nice wholesome gal, use promo code MIKAELISLONELY at Unjected.com for 25% off your first month’s membership (also valid for all Daily Dot readers),” it added.
Despite the security issues, Unjected does not appear to have posted anything on its website or social media accounts noting that its users’ data remains vulnerable to compromise.
The internet is chaotic—but we’ll break it down for you in one daily email. Sign up for the Daily Dot’s web_crawlr newsletter here to get the best (and worst) of the internet straight into your inbox.