Major dating app data breach may have exposed 1.5 million private user images online

Data Breach
Image Credit: Shutterstock (Image credit: Shutterstock)

  • Five kink and LGBT apps exposed sensitive user images
  • The images were stored on a server without password protection
  • The apps' developer left the issue unfixed for months

Five dating apps exposed over 1.5 million private and explicit images after storing the images in cloud storage buckets without any password protection.

Cybersecurity researchers found the image servers of BDSM People, Chica, Pink, Brish and Translove to be highly vulnerable to hackers, putting between 800,000 and 900,000 people at risk of blackmail and extortion.

The five sites are all from developer M.A.D Mobile, who was notified of the exposed servers on January 20 but did not remediate the issue until March 28, after the cybersecurity researchers published a report on the exposed servers.

Explicit images exposed

Cybernews researcher Aras Nazarovas discovered the exposed private image servers while conducting analysis on the code that powers the BDSM People app.

“The first image in the folder was a naked man in his thirties. As soon as I saw it I realised that this folder should not have been public," Nazarovas told the BBC.

On the servers, Nazarovas found several hundred gigabytes of photos, including images from profiles, images sent in direct messages, images that were supposedly removed from the app by moderators, photos from public posts, profile verification photos, and photos included in comments.

While the issue has now been remediated, there is no way of knowing how long the servers were exposed, or if Nazarovas was the only person to discover the trove of explicit images.

A M.A.D Mobile spokesperson said, “We appreciate their work and have already taken the necessary steps to address the issue. An additional update for the apps will be released on the App Store in the coming days.”

Outside of the risk of extortion posed by the unprotected cloud storage buckets, users of the apps in countries with hostile attitudes to LGBT peoples were also put at risk.

Dating apps and sites are lucrative targets for hackers due to the highly sensitive personally identifiable information they store. If hit by a ransomware attack, the attackers could not only extort the company for money, but also threaten individuals with the exposure of their data if they don’t pay a fee.

You might also like

Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for over 7 years, first focusing on geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division), then continuing his studies at a postgraduate level, achieving a distinction in MA Security, Intelligence and Diplomacy. Upon joining TechRadar Pro as a Staff Writer, Benedict transitioned his focus towards cybersecurity, exploring state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.