A shocking discovery revealed nearly 1.5 million private photos from several dating platforms, including LGBT and kink sites, were exposed online without password protection. Researchers found that M.A.D Mobile, the owner of these apps, delayed addressing a significant security vulnerability despite prior warnings, raising concerns over user safety and privacy in the digital age.
Major Privacy Breach: 1.5 Million User Photos Exposed from LGBT and Kink Dating Apps
Major Privacy Breach: 1.5 Million User Photos Exposed from LGBT and Kink Dating Apps
Security flaws have left sensitive images from five dating apps accessible online, sparking a potential risk for users and raising pressing questions about digital privacy.
Researchers have uncovered a substantial privacy breach involving nearly 1.5 million user images from various niche dating apps, many of which are explicit in nature. This alarming security flaw, affecting apps such as BDSM People and the Chica sugar daddy platform, has left thousands of users vulnerable to extortion and hacking.
The affected applications, developed by M.A.D Mobile, cater to a community of around 800,000 to 900,000 users, including those from the LGBT and kink communities. Sensitive images stored online were accessible to anyone with the direct link, as they were secured with no password protection.
Ethical hacker Aras Nazarovas from Cybernews was the first to bring this project to light. He discovered the vulnerability while analyzing the app’s coding. Shocked at the ease of access, he noted that the folder contained not just profile pictures but also private messages and images deleted by moderators.
M.A.D Mobile was first notified regarding the flaw on January 20th but only took action after a follow-up email from the BBC prompted the company. Although they have since resolved the issue, they have yet to explain why it took so long to act.
Nazarovas warned of the significant risks for users, particularly in regions where LGBT individuals face severe discrimination. His concerns center around the potential for malicious actors to exploit this data for extortion. Although the images were not directly linked to user identities, the risk remains.
In response to the vulnerability, an M.A.D Mobile spokesperson expressed gratitude to Nazarovas for revealing the security lapse, stating that they took necessary actions to prevent future data breaches. However, questions linger about the company's operations, such as their location and reasons for the delayed response to prior alerts.
Typically, security researchers refrain from publishing their findings until vulnerabilities are rectified to avoid risking user safety. However, Nazarovas opted to raise awareness about the unprotected images, believing users needed urgent warning to protect themselves.
This incident recalls the 2015 Ashley Madison breach, where customer data was infamously exploited, underscoring the continuing challenges of maintaining digital privacy in the age of technology.
