Users of UK online dating website Guardian Soulmates have reportedly been receiving "sexually explicit" spam emails featuring private information taken from their personal account profiles, in what has been blamed on human error by a third-party company.
The unauthorised exposure is not believed to be the work of hackers. According to the BBC, which was alerted to the incident by an impacted user, the spam contained the victim's profile username alongside other information that "could only have come from the Soulmates database."
Guardian News and Media, which manages the service, said the issue has now been resolved.
"We can confirm we have received 27 enquiries from our members which show evidence of their email addresses used for their Soulmates account having been exposed," a spokeswoman said.
The company added its ongoing probe pointed to a fault at an unnamed, external, technology provider.
The firm also confirmed email addresses and user IDs were likely to have been exposed, admitting these could be used to locate other publicly available profiles and photographs, physical descriptions and relationship preferences.
This information can then be used to send targeted phishing emails, cybersecurity experts warned.
One victim told the BBC they first alerted the online dating service last November, and finally received an email confirming the exposure in late April.
"It's all information that I was happy to put online at one point anyway, but when it's used outside of context like that it does feel a lot more creepy," the source said.
Marco Cova, senior security researcher at anti-malware firm Lastline said: "This is a good reminder that every breach reveals data that criminals can use to launch additional attacks.
"They can merge data from multiple sources, building dossiers on potential victims, including spearphishing targets. The information they gather does not have to be highly confidential to create successful attacks."
Dating websites, and the data they store, are often seen as a lucrative target for hackers. The most high-profile cyberattack, against US firm Ashley Madison, resulted in a widespread breach that not only exposed sensitive information - but in the most extreme cases cost lives.