Researchers have discovered that nearly 1.5 million private images from specialist dating apps were left unprotected online, making them vulnerable to hackers and blackmailers.
The exposed images came from five dating platforms developed by M.A.D Mobile:
- BDSM People and Chica (kink-focused apps)
- Pink, Brish, and Translove (LGBT dating apps)
These services are used by around 800,000 to 900,000 users.
How Were the Images Exposed?
Cybersecurity expert Aras Nazarovas from Cybernews discovered the issue while analyzing the apps’ code. He found that:
- The online storage holding the images was unprotected.
- No password or encryption was required to access the files.
- The photos included profile pictures, private messages, and even deleted images.
“I was shocked when I accessed the files. The first image I saw was a naked man in his thirties. This folder should not have been public,” Nazarovas said.
Risks for Users
This security flaw posed serious risks:
- Hackers could use the images for blackmail.
- LGBT users in hostile countries could face danger if their identity was revealed.
- Although no usernames or personal details were linked to the photos, the exposure still left users vulnerable.
M.A.D Mobile’s Response
M.A.D Mobile was first alerted on January 20, but they did not take action until March, after being contacted by the BBC. The company has now fixed the issue but did not explain why it took so long to respond.
“We appreciate the researcher’s work and have taken steps to fix the problem,” a M.A.D Mobile spokesperson stated. “An additional update for the apps will be released soon.”
However, the company did not clarify if other hackers had already accessed the exposed images.
Public Warning Raised
Normally, security researchers wait until a vulnerability is fixed before making it public to prevent further risks. However, Nazarovas and his team raised the alarm early because they feared the company was not addressing the issue.
“The public needs to know so they can protect themselves,” Nazarovas said.
This incident echoes the 2015 Ashley Madison hack, where malicious hackers leaked sensitive data from a dating site for married people looking to cheat.
