A seemingly massive data breach has apparently exposed nearly 1.5 million 'private' pictures from a series of LGBTQ+ and kink sites. Five dating apps have reportedly been hit by the security flaw where the explicit images were stored on the cloud without any password protection.
If you weren't already worried about dating in 2025, imagine having your own private pictures spilled onto the internet for all to see as your own cybersecurity nightmare.
Cybernews reports how researchers found that BDSMPeople, CHICA, TRANSLOVE, PINK, and BRISH apps had 'secrets' like API keys, passwords, and encryption keys published alongside their codes.
Advert
The site notes how credentials being placed in client applications can be accessed by anyone, with bad actors being able to gain access to systems. The use of these let's them locate user photos placed in Google Cloud Storage buckets that didn't have passwords set up.
Nearly 1.5 million of these user-uploaded images included the likes of profile photos, public posts, and profile verification images. Perhaps the most concerning is that photos apparently sent through direct messages and those removed for rule violations were also included in the crop.
Cybernews reached out to M.A.D Mobile Apps Developers Limited for comment but claims it hadn't received a response at the time it published its findings.
As the outlet writes: "The thought of such images being exposed is a nightmare for many, sparking fears of damage to their privacy and dignity. Given the nature of the apps, the photos shared with other users are often highly sensitive and explicit."
Even though the leak doesn't include names, email addresses, or messages involving individual users, there are fears Open-Source Intelligence (OSINT) techniques like reverse image searching could be used to track them down.
These kind of breaches can be used by people who will try and extort you, while those involved could be more at risk of harassment. Notably, homosexuality is illegal in many countries, which could put app users in a dangerous position.
M.A.D. Mobile was apparently notified about the exposed servers on January 20 but didn't tackle the issue until March 28.
Speaking to the BBC, Cybernews researcher Aras Nazarovas explained: "The first image in the folder was a naked man in his thirties. As soon as I saw it I realised that this folder should not have been public."
A M.A.D. Mobile spokesperson has since responded and said: "We appreciate their work and have already taken the necessary steps to address the issue. An additional update for the apps will be released on the App Store in the coming days."
However, they didn't respond to further questions about where M.A.D. Mobile is based and why it took so long to address the issue.
We're reminded that hackers got inside the Ashley Madison database in 2015, known as a service aimed at those trying to have extramarital affairs. When the site refused to shut down, more than 2,500 customer details were released. Ultimately, Ashley Madison agreed to settle on more than two dozen lawsuits in 2017 and was forced to stump up $11.2 million.