Major Security Flaw Exposes 1.5 Million User Photos from Dating Apps

Thu Oct 23 2025 01:58:23 GMT+0300 (Eastern European Summer Time)

A significant security breach has left nearly 1.5 million private images from multiple dating apps vulnerable to unauthorized access, prompting concerns about user safety and privacy.

A recent study revealed that five dating apps owned by M.A.D Mobile, catering to Kink and LGBT communities, had unprotected access to approximately 1.5 million private images. The discovery highlights critical security vulnerabilities, raising alarms among users and advocates about potential extortion and privacy risks.

In a troubling revelation, a security flaw has exposed around 1.5 million private images from several dating applications, including BDSM People and Chica, among others targeted at kink and LGBT communities. Researchers discovered these images, many of which are explicit, stored online without password protection, making them susceptible to hackers and potential extortion.

The affected platforms, developed by M.A.D Mobile, support an estimated user base of 800,000 to 900,000 individuals. Despite being notified of this issue by ethical hacker Aras Nazarovas on January 20, M.A.D Mobile only acted after receiving an inquiry from the BBC, causing widespread concern about their response time and security measures for user data.

Nazarovas first stumbled upon the breach while analyzing the code behind the apps. Upon accessing the unencrypted photos, he was dismayed to find the images—including those shared privately and even some removed by moderators—available to anyone with the link. "The first app I investigated was BDSM People, and the first image in the folder was a naked man in his thirties," he shared, adding that it was evident the folder should not have been privatized.

The discovery poses considerable risks to users, especially those in countries where LGBT identities are criminalized. While the photographs lacked user identification (no real names or usernames were linked), the potential for malicious hackers to exploit this information remains high, particularly for extortion.

M.A.D Mobile has acknowledged Nazarovas’s findings and expressed appreciation for his work in preventing a data breach. However, they have not disclosed how the flaw occurred or why it took them months to rectify the situation. In a statement, the company mentioned that an update would soon be rolled out via the App Store to ensure app security.

Despite a general protocol among security researchers to wait until vulnerabilities are patched before disclosing them, Nazarovas and his team chose to alert the public as the risk remained unmitigated. "It's always a difficult decision," he explained, "but we think the public needs to know to protect themselves."

This exposure echoes a stark reminder of the risks inherent in digital platforms, reminiscent of the notorious Ashley Madison data breach in 2015, where sensitive user information was also compromised. The repercussions are profound, raising urgent questions about the responsibility of dating app companies in safeguarding user privacy and data.