Security Flaw Exposes 1.5 Million Private Images from Dating Apps

Wed Oct 22 2025 06:40:33 GMT+0300 (Eastern European Summer Time)

A significant breach revealed nearly 1.5 million private images from kink and LGBT dating apps, raising concerns over user safety and privacy.

Researchers identified a major security issue affecting five dating apps, including BDSM People and Chica, leaving explicit user images accessible online without protection. Despite alerts to the developer, M.A.D Mobile, action was delayed until media intervention prompted a fix.

Nearly 1.5 million private images from specialized dating platforms have been exposed online due to significant security flaws, putting users at risk for potential hacking and extortion. A mix of explicit content and private messages from five dating apps operated by M.A.D Mobile—including BDSM People, Chica, and various LGBT-focused platforms—were found unsecured and accessible to anyone with the link.

Experts estimate that these apps serve about 800,000 to 900,000 users, many of whom could be adversely affected. Ethical hacker Aras Nazarovas from Cybernews initially notified M.A.D Mobile about the vulnerability on January 20, but it wasn't until the BBC inquired about the issue that any remedial measures were implemented.

M.A.D Mobile has since rectified the problem, although they have not disclosed the details behind the vulnerability or why there was a delay in addressing it. Nazarovas, who uncovered the flaw through examining the app's code, expressed shock at discovering unencrypted and unprotected images that were publicly accessible.

"The first app I investigated was BDSM People, and the first image I encountered was a naked man in his thirties," Nazarovas noted. "As soon as I saw it, I realized that this folder should not have been public." The scope of the leaked material went beyond profile pictures, encompassing private messages and even images moderated out by the platforms.

According to experts, the presence of unprotected sensitive content poses a considerable risk to users, especially in regions where LGBT individuals face persecution. However, the images were not labeled with usernames or real names, complicating the potential for targeted attacks.

In response to inquiries, a spokesperson for M.A.D Mobile expressed gratitude to the researcher for identifying the vulnerability and stated that precautions were taken to mitigate the problem. They also mentioned that an update for the apps would be available shortly. However, they did not provide further clarification on the company's location or the reasoning behind the months-long delay in addressing the security flaw.

Typically, security researchers maintain confidentiality about vulnerabilities until they are fixed to avoid putting users at risk. However, Nazarovas' team chose to publicize the breach while it was still active, citing concerns that M.A.D Mobile was not taking adequate steps to resolve the issue. "It's always a difficult decision, but we believe the public needs to know to protect themselves," he explained.

This incident recalls the infamous 2015 breach of Ashley Madison, which resulted in the theft of sensitive customer data from users of the cheating-focused dating website. The revelation highlights ongoing security challenges in the realm of online dating and the critical importance of protecting user data.