Millions of Private Photos from Dating Apps Left Unprotected Online

Researchers have found that nearly 1.5 million private photos from specialist dating apps were stored online without password protection, making them easily accessible to hackers and putting users at risk of blackmail and privacy violations.

The exposed images came from five dating platforms created by tech company M.A.D Mobile. These include BDSM People and Chica, which focus on kink communities, as well as LGBT-focused apps Pink, Brish, and Translove. Together, these apps are used by an estimated 800,000 to 900,000 people.

Anyone with a direct link could view the images, which included not only profile pictures but also private photos shared in messages and even some that had been removed by moderators. Many of the photos were explicit.

The issue was first discovered by ethical hacker Aras Nazarovas from Cybernews, who found the image folder while analyzing the apps' code. He was alarmed by how easily accessible the photos were.

"The first app I investigated was BDSM People, and the first image in the folder was a naked man in his thirties," he said. "As soon as I saw it, I realized this folder should not have been public."

Nazarovas warned M.A.D Mobile about the issue on January 20, but the company only took action after being contacted by the BBC months later. While the vulnerability has now been fixed, the company has not explained why the data was left exposed for so long.

In a statement, M.A.D Mobile thanked Nazarovas for his efforts and said it had taken the necessary steps to secure the apps. They also promised a further update would be released on app stores soon. However, they did not answer questions about their location or why it took so long to address the problem.

Although the leaked images were not linked to names or user profiles, experts say the situation still posed a serious risk. In countries where being LGBT is criminalized, exposure of such images could endanger lives.

Nazarovas and his team chose to go public with their findings before the issue was fixed, fearing that waiting longer would put more users at risk.

"It's always a difficult decision, but we think the public needs to know to protect themselves," he said.

This incident is a reminder of the 2015 Ashley Madison data breach, where hackers leaked private details of users from a dating site for married people, causing widespread embarrassment and harm.

Cybersecurity experts urge all app developers to prioritize data protection, especially when dealing with sensitive personal content.