Security researchers uncovered a significant vulnerability in five dating platforms operated by M.A.D Mobile, exposing approximately 1.5 million explicit user images. Despite being warned months prior, M.A.D Mobile took minimal action until prompted by media inquiries, prompting a wider discussion on data protection in niche dating apps.
Major Security Breach Exposes 1.5 Million Private Images from Dating Apps
Major Security Breach Exposes 1.5 Million Private Images from Dating Apps
An alarming discovery reveals that nearly 1.5 million private user images from kink and LGBT dating apps were unsecured online, raising concerns about data safety.
In a shocking finding, security experts have revealed that nearly 1.5 million private images from various kink and LGBT dating apps were left unprotected online, making them accessible to anyone with the link. The researchers detected the sensitive files containing explicit photographs primarily from five platforms managed by M.A.D Mobile, specifically the kink site BDSM People and LGBT-friendly apps Pink, Brish, Chica, and Translove.
These applications cater to an estimated community of around 800,000 to 900,000 users. The company was initially informed about this glaring security oversight on January 20, yet failed to resolve the situation until the BBC intervened via an email last week. Although the vulnerability has since been rectified, M.A.D Mobile has not disclosed the cause of the breach or its reasons for delaying action.
The vulnerability was first identified by ethical hacker Aras Nazarovas from Cybernews, who utilized code analysis to locate the unsecured storage housing the images. He expressed disbelief at the ease of accessing unencrypted images without any password protection. "The moment I began my investigation with BDSM People and discovered the first image was of a naked man, it became clear that the file should not have been public," he stated.
The implications of this security breach present severe risks to users, particularly for those in regions where being LGBT is a serious offense. While no personal identification was associated with the photos—thus complicating targeted attacks—malicious actors could still exploit the vulnerability for extortion purposes.
A spokesperson for M.A.D Mobile expressed appreciation for Nazarovas' discovery, indicating the company had taken corrective actions to mitigate the risk of a significant data breach. However, without concrete answers on their operational flaws or late response, concerns over user safety remain.
Security researchers often withhold findings until a breach is resolved to evade further jeopardizing users. Nonetheless, Nazarovas and his team felt compelled to inform the public immediately, emphasizing the urgent need for awareness to protect individuals against potential exploitation.
This incident transcends individual privacy concerns, echoing previous breaches involving dating platforms, including the infamous Ashley Madison hack in 2015 that leaked user data amid a major scandal. As dating apps proliferate, the necessity for robust data security measures in these platforms becomes increasingly critical.
