A serious security vulnerability has left approximately 1.5 million private photos from multiple dating apps exposed online without password protection, BBC News has learned.
The affected platforms, all developed by M.A.D Mobile, include kink-focused app BDSM People, Chica, and LGBT dating services Pink, Brish, and Translove. These apps serve an estimated 800,000 to 900,000 users globally.
Cybersecurity researcher Aras Nazarovas discovered the breach after analyzing the apps' code and locating their online storage system. The exposed content included profile photos, private message attachments, and even images previously removed by moderators.
"The first app I investigated was BDSM People, and the first image in the folder was a naked man in his thirties," Nazarovas told BBC News. "As soon as I saw it I realised that this folder should not have been public."
While the images were not labeled with usernames or real names, the security flaw posed serious risks for users, particularly those in regions hostile to LGBT communities. The vulnerability could have enabled malicious actors to access and potentially exploit the sensitive content.
M.A.D Mobile failed to address initial warnings about the security flaw when first notified on January 20th. The company only took action after BBC News contacted them on Friday. While the issue has since been fixed, the company has not explained how the breach occurred or why they delayed responding to security alerts.
"We appreciate their work and have already taken the necessary steps to address the issue," a M.A.D Mobile spokesperson said, adding that an app update would be released soon.
The company has not responded to questions about their location or their delayed response to multiple security warnings. While researchers typically wait for vulnerabilities to be fixed before publishing findings, Nazarovas' team chose to alert the public due to the company's initial inaction.
"It's always a difficult decision but we think the public need to know to protect themselves," Nazarovas explained.