Calling things what they are

Public Dating Is Not a Data Breach

A Habr publication renamed normal open-service mechanics as "critical vulnerabilities": liking a public profile became a "bypass," a displayed photo became a "leak," and an assumption became a business investigation. Loud terminology cannot repair broken logic.

Dating LLC10 minute read
Likea normal dating function
Photopublic media can be saved
APIa transport, not a vulnerability

The article's central problem

The author did not discover a new law of the internet. He renamed ordinary things

A public profile does not become a private database because a script requested it. An API does not become a hole because it was called without pressing a button. Saving a file already displayed to a user is not the same as breaching a storage system.

In the articlePublic = leaked

A category substitution.

In the articleAPI = bypass

A transport confused with a boundary.

In the articleAutomation = breach

Scale confused with the fact of access.

In the articleAssumption = fact

Evidence replaced with a dramatic story.

A simple test for every alarming claim: was the boundary between public and private data crossed, or were authentication, consent, or a server-side limit bypassed? If not, red icons and CVSS numbers do not create a vulnerability.

Likes through an API

An API that lets a participant like a public profile is doing its job

An open dating service must let a user express interest in another participant. The button on the screen sends an API request anyway. Reproducing that request with a technical client is not a magical product bypass. It is another client talking to the same server.

The real checks come next: the request must be authenticated, the actor must be active, and server limits must apply regardless of the interface. Current Mimolet reactions use an authenticated server route and are limited by plan to 60, 250, 500, or 1,200 actions per day.

Function: like a known public profile within the limit. Not a function: bypass authentication, a ban, or a server limit.

So "the API can like a person" sounds alarming only until translated into plain language: "the dating service lets a user send a like." That is what the service exists to do.

Photos and S3

A displayed public photo can be saved. That is the internet, not a Mimolet breach

A public profile photo must reach the user's device or the app cannot display it. Once delivered, it can be saved through browser tools, screen recording, or a screenshot. The same is true for public content on Instagram, TikTok, Telegram, and every service that actually renders media.

A presigned URL, disabled context menu, or short link lifetime cannot revoke pixels already delivered to a screen. These controls can raise the cost of bulk collection, but they cannot make copying displayed public content physically impossible.

NormalThe app loads the exact media object for a public profile
ImportantThe storage catalog should not be exposed as a list
CurrentAnonymous bucket listing is closed and returns HTTP 403
CurrentNew media names use UUIDs rather than Telegram IDs
A publicly displayed photo is not the same thing as a public inventory of every stored object. The article creates alarm by collapsing that distinction.

Automated collection

Scraping exists everywhere. The question is cost and scale, not existence

Public pages and feeds are automated across social networks, marketplaces, search engines, messengers, and dating services. An absolute technical prohibition does not exist because automation can imitate a real user. Mature protection raises the cost through authentication, unpredictable identifiers, limits, behavioral signals, and blocking.

The historical negative offset central to the article is gone. The named feed_classic_api.php route no longer serves the product and returns 404. The current feed returns 401 without authentication. Applying that old scenario to today's architecture is not a current Mimolet analysis. It is a description of removed code.

01

Can be automated

True for every public interface.

02

Can be collected without limit

A separate claim that needs current API evidence.

03

Private data was obtained

Another separate claim, not a consequence of the first two.

History vs today

Old PHP files are not the current Mimolet architecture

The article repeatedly returns to the same routes and uses repetition to create a sense of scale. Three filenames are not three independent problems, and a removed entry point does not become the current API because its screenshot remains online.

Cited in the articleCurrent status
profile_view.php404 removed
feed_classic_api.php404 removed
test.php404 removed
Current profile and feed without login401 authentication required

This does not rewrite history: a current 404 cannot prove what happened on the test date. It proves a narrower, important point - that the cited path cannot honestly describe today's product.

Premium without sleight of hand

Liking a known profile and revealing incoming likes are different actions

The article calls the ability to like an already known user a "Premium bypass." But the subscription provides access to incoming-like mechanics: learning who liked you and using that inbox. It does not sell an exclusive right to express interest in someone already seen elsewhere.

The current free incoming-likes response does not reveal the real ID, name, or original media URL. Bulk response checks the subscription on the server. Combining "send a like" with "reveal an incoming like" creates a dramatic paragraph, not proof of a paid-feature bypass.

Sessions and bans

Multiple sessions are not session fixation, and an IP address is not a person

Session fixation is a specific attack in which a victim is forced to use an identifier already known to an attacker. Five logins from five contexts show only that multiple sessions are allowed. That is normal for phones, computers, and Telegram Web, not proof of account takeover.

The article's rigid IP-binding prescription breaks mobile networks, CGNAT, and VPN use. The current API checks blocked-user status on every authenticated request. That is the meaningful boundary. The assumption that one IP equals one person is not.

The publication's weakest section

The advertising and "unofficial accounts" story was written without access to the business

The author did not see contracts, payments, accounting records, analytics dashboards, or bank accounts. Yet profile counts, channel subscribers, and an LLC registration address were turned into conclusions about advertisers, taxes, investors, and intentionally weakened security. There is no evidentiary chain between the inputs and that story.

Company factMimolet has never sold advertising
Company factThe product has no advertisers or advertising revenue
Company factThe official operator is Dating LLC
Company factThe product has no "unofficial accounts"

Registering a company in one city while developing a product from another is neither a business scheme nor a technical indicator. Geography proves no tax evasion, advertising relationship, or owner motive. It is speculation presented as investigation.

CVSS theater and the second post

Self-assigned scores do not replace attack vectors, and an Exim banner does not show Ubuntu patches

A table of 7.5, 8.9, and 8.1 looks authoritative, but scores without complete CVSS vectors, system boundaries, and reproducible impact remain the author's opinion. "Criminal prosecution," "loss of advertisers," and "payment blocking" do not follow from the technical tests, especially when the product has no advertisers.

The sequel repeated the pattern with Exim. It inferred CVE-2026-45185 from an Exim 4.97 Ubuntu banner. Ubuntu fixed that CVE through a backport in package 4.97-4ubuntu4.5. Revision .5 was installed on May 14, revision .6 on June 3, and the post appeared on June 27. The base SMTP banner does not expose the Ubuntu package revision.

Fixed package 4.97-4ubuntu4.5 installed
Next revision 4.97-4ubuntu4.6 installed
Post claiming a vulnerable version published
Official Ubuntu Security pageUbuntu 24.04 LTS: fixed in 4.97-4ubuntu4.5

Method and presentation

Formulaic AI-style presentation amplifies drama, not evidence

Significant parts of the text look AI-generated or heavily AI-edited: repeated "severity + business impact" matrices, mechanical analogies, repetitive summaries, emoji risk levels, and dense AI-style typography. This is a stylistic observation, not proof of a specific model.

The problem is not the use of AI. The problem is when confident formatting hides missing steps: no independent sample validation, no access to business data, no full CVSS vectors, no check of the Exim package revision, and ordinary open-dating functions labeled as vulnerabilities in advance.

Sample

12,340 collected profiles do not prove the size of the entire monthly audience.

Age

An aggregate 15-19 group cannot directly establish the share of people under 18.

Business

Channel subscribers do not reveal contracts, revenue, or bank accounts.

Conclusion

Security requires precision. Panic requires only loud words

Like every live product, Mimolet has engineering work and continuously strengthens its defenses. But an honest analysis must distinguish public from private, possible from unlimited, legacy code from current code, and evidence from speculation.

Liking a public profile is a normal function. Saving a displayed public photo is an unavoidable property of digital content. Scraping is a market-wide risk to constrain, not something any open service can make physically impossible. Removed legacy routes do not describe the current API. Advertising, "unofficial accounts," and the allegedly vulnerable Exim package were not facts that survived verification.

Read the detailed official Mimolet responseRoute status, S3, sessions, Exim, sources, and the current product state Read the expanded public dating security guideFour layers: display, action, automation scale, and private data
Official serviceMimolet

Mimolet, Mimolet Bot, mimoletbot, @mimoletbot, Мимолет, and Мимолет Бот are names for the same product operated by Dating LLC.

Open @mimoletbot

Sources and materials

  1. First Habr publication dated May 4, 2026
  2. Second Habr publication dated June 27, 2026
  3. Official Ubuntu Security page for CVE-2026-45185

This article reflects verified product status as of July 17, 2026.