Over 1.5 Million Photos Leaked Due to Dating App Security Flaws

Over 1.5 million user photos collected by dating apps available on the iOS App Store, mainly catering to the LGBTQ+, BDSM, and “sugar dating” communities, have been compromised, according to a new report.

This leaked data included explicit content sent between users via direct messaging, as well as profile photos, public posts, profile verification images, and photos removed due to rule violations. As per the report from Cybernews, the impacted apps included SM People, Chica, Translove, Pink, and Brish. All the apps were developed by M.A.D. Mobile Apps Developers, a UK-based company.

In the case of BDSM People, researchers think this app alone leaked 541,000 private images, including 90,000 from users’ direct messages. Meanwhile, the sugar dating app Chica is thought to have leaked 133,000 photos, including private chats.

M.A.D. Mobile Apps Developers have yet to officially comment on the news.

Cybernews’s research suggests that this type of data leak could put users at significant risk further down the road.

“With homosexuality being illegal in some countries, the leak could put app users at high risk of persecution,” said the report, emphasizing how sensitive images of this type can be used for extortion, social engineering, and attempts to damage a person’s professional reputation.

The researchers outlined how the necessary credentials to access sensitive data were stored in the code of the apps themselves, which could then have been used to find images stored externally in other locations (all the dating apps shared the same basic architecture). Even if the images didn’t have names or registration emails attached, the researchers noted how techniques like reverse image search could be used to identify the people in the pictures.

Dating app breaches can have big consequences for those involved. Ashley Madison, a dating site for extramarital affairs, was hit by a data breach in 2015, which resulted in the personal data of 32 million users being leaked by a hacking group. As a result of the leak, several cases of blackmail and extortion were reported, and two suicides were even linked to the case.

The LGBTQ+ community has been hit hard before by data leaks. In 2021, it was revealed that the gay dating app Grindr shared sensitive user data, including HIV status and GPS location data, with third-party companies back in 2018. In 2023, some mobile tracking data from Grindr was purchased by a conservative Catholic group in Colorado, which used it to identify gay priests across the US.

About Will McCurdy

Contributor

I’m a reporter covering weekend news. Before joining PCMag in 2024, I picked up bylines in BBC News, The Guardian, The Times of London, The Daily Beast, Vice, Slate, Fast Company, The Evening Standard, The i, TechRadar, and Decrypt Media.

I’ve been a PC gamer since you had to install games from multiple CD-ROMs by hand. As a reporter, I’m passionate about the intersection of tech and human lives. I’ve covered everything from crypto scandals to the art world, as well as conspiracy theories, UK politics, and Russia and foreign affairs.

Read Will’s full bio

Read the latest from Will McCurdy