Kink and LGBT Dating Apps Exposed: 1.5M Private User Images Leaked Online

In a shocking revelation, security researchers have discovered that nearly 1.5 million private images from niche dating apps—many of them explicit—were left unprotected online, making them easily accessible to hackers and potential extortionists. These images, associated with five platforms developed by M.A.D Mobile, were stored online without any password protection, allowing anyone with the link to view them.

A Major Security Breach

The affected platforms include BDSM-focused dating apps BDSM People and Chica, as well as LGBT-oriented services Pink, Brish, and Translove. Combined, these services cater to an estimated 800,000 to 900,000 users worldwide. The security flaw was initially identified by ethical hacker Aras Nazarovas from Cybernews, who discovered the unprotected online storage while analysing the code that powers the apps.

According to Nazarovas, he was able to access the images without requiring any authentication. His first encounter with the breach came when he explored BDSM People and found explicit images that should have been protected. "The first image in the folder was a naked man in his thirties," he said. "As soon as I saw it, I realised that this folder should not have been public."

Sensitive User Data at Risk

What makes this security lapse particularly alarming is the nature of the exposed content. The images were not limited to public profile pictures but also included those sent privately in messages, as well as some images that had been removed by moderators. This raises serious concerns about user privacy and the security measures (or lack thereof) implemented by M.A.D Mobile.

While no text-based private messages were found to be stored in the same manner, and the images were not directly labeled with user names or real identities, the exposure still carries a significant risk. For users in countries hostile to LGBT individuals, this kind of data leak could have severe consequences. Additionally, cybercriminals could exploit the images for blackmail and extortion.

Delayed Response from M.A.D Mobile

M.A.D Mobile was first informed of the security flaw on January 20. However, the company failed to take any action until the BBC intervened via email on Friday. Only then did they address the issue, but they have yet to clarify why the vulnerability existed in the first place or why it took them so long to fix it.

In response to the incident, a spokesperson for M.A.D Mobile stated, "We appreciate their work and have already taken the necessary steps to address the issue. An additional update for the apps will be released on the App Store in the coming days." However, the company declined to answer further questions about its location or its delayed response to the security warning.

The Risks of Data Breaches in Dating Apps

Data leaks of this nature are not new. In 2015, the infamous Ashley Madison hack exposed the personal information of users who sought extramarital affairs. That breach led to devastating consequences for many individuals, including public shaming, blackmail, and even suicides. While the current case does not involve direct identity exposure, the nature of the leaked images still presents a serious threat to users’ privacy and security.

Nazarovas and his team took the unusual step of publicising the vulnerability before it was fully resolved, citing concerns that M.A.D Mobile was ignoring the issue. "It's always a difficult decision, but we think the public needs to know to protect themselves," he explained.

How Users Can Protect Themselves

Given the increasing prevalence of data breaches in dating apps, users should take extra precautions to safeguard their privacy. Here are some key steps to consider:

1. Limit the Sharing of Sensitive Content: Avoid sharing explicit images or personal data that could be used against you if leaked.
2. Use Encrypted Messaging Services: If possible, communicate using secure and encrypted messaging platforms instead of in-app messaging.
3. Enable Two-Factor Authentication (2FA): If the app offers 2FA, enable it to add an extra layer of security.
4. Regularly Review Privacy Settings: Ensure that your profile and data are protected by the strongest available security settings.
5. Stay Informed About Security Updates: Follow news about the apps you use to be aware of any potential security risks.

Final Thoughts

This incident highlights the growing cybersecurity challenges facing online dating platforms, particularly those catering to niche communities. M.A.D Mobile’s delayed response underscores the need for stricter security protocols and regulatory oversight to ensure that user data is adequately protected. As dating apps continue to rise in popularity, companies must prioritise user privacy and implement stronger measures to prevent similar breaches in the future.

For now, users of BDSM People, Chica, Pink, Brish, and Translove should remain vigilant and take proactive steps to secure their online presence. Cybersecurity is an ongoing battle, and awareness is the first step toward protection.