Nearly 1.5 million private images from specialist dating apps have been exposed following a massive security lapse, according to researchers.
User-uploaded images to fetish and LGBT dating apps developed by M.A.D Mobile were reportedly compromised after they were stored online without password protection.
The apps – BDSM People, CHICA, TRANSLOVE, PINK, and BRISH – have an estimated userbase of around 900,000 people.
Ethical hacker Aras Nazarova from Cybernews, who discovered the security flaw, said that anyone with a link to the images could view them due to the lack of encryption.
“The thought of such images being exposed is a nightmare for many, sparking fears of damage to their privacy and dignity,” a Cybernews report noted.
“Given the nature of the apps, the photos shared with other users are often highly sensitive and explicit.”
The user photos were reportedly stored in Google Cloud Storage files that did not contain other identifying information, like usernames or email addresses. The security researchers said the victims’ identities could still be at risk through reverse-image-searching software.
The images were publicly available online for at least two months, allowing anyone with access to the links to download them and potentially share them through illicit marketplaces.
Mr Nazarova warned that the user-uploaded images, which included explicit photos shared in private messages, could potentially be used by malicious actors to blackmail individuals.
“Malicious actors often exploit highly sensitive leaked content for extortion, social engineering, and attempts to damage a person’s professional reputation,” the report stated.
“Moreover, impacted individuals could be put at elevated risk of harassment. With homosexuality being illegal in some countries, the leak could put app users at high risk of persecution.”
M.A.D Mobile took them offline last Friday, a day after Cybernews first reported the issue, with a spokesperson saying the company had addressed the issue.
“A potential vulnerability was indeed identified and has already been fully resolved,” a spokesperson told The Independent.
“Additionally, we would like to note that the mass download of the volume of data claimed in media reports would have caused noticeable activity on our servers, which was not observed. This further supports the conclusion that no actual data breach took place.”
M.A.D Mobile said that an additional update for the apps will be released on the App Store in the coming days.
