Key Takeaways

When an “ethical hacker” tapped into the student-created dating app Cerca, he hit the mother lode. 

Cerca refers to itself as a dating app “for mutuals, not strangers,” but Yale student Alex Schapiro’s alarming discovery suggests that strangers — including bad actors — may have easily accessed sensitive information, including the sexual preferences, phone numbers, private chats, and in some cases, drivers licenses and images of scanned passports of thousands of users. 

“This is a hacker’s jackpot,” he told the Yale Daily News

Schapiro informed Cerca’s development team of the lax security protections. Now, he alleges that Cerca hasn’t informed users that their sensitive information was at one point susceptible to hackers.  

Schapiro’s discovery sparked conversations about whether the students who create public dating apps have the experience and resources necessary to keep people safe. 

A Yale Student Discovered a Hacker Treasure Trove 

All it took was a standard proxying tool (Charles Proxy), a Python script, and a few hours for Schapiro to gain access to hundreds of users’ sensitive data. Schapiro explained his findings in more detail in a blog post titled “How Broken OTPs and Open Endpoints Turned a Dating App Into a Stalker’s Playground.” 

Schapiro’s initial investigation into Cerca’s security measures unearthed an obvious flaw: the OTP based sign-in, which suggested that “anyone’s account can be accessed with just their phone number,” he explained. 

And when Schapiro wrote a Python script, he gained access to user IDs, which meant he could access those particular accounts and see everything from a user’s address and phone number to their sexual preferences and private chat logs. 

SecurityScorecard specifically mentioned endpoint security as a chronically weak aspect of many dating platforms, which mirrors Schapiro’s findings on Cerca. 

“This is an insane leak!!” he wrote in the blog post. Schapiro asserted that, as an ethical hacker, he never accessed the sensitive user info, and only used it to inform Cerca of his findings. The development team was receptive to his findings, but when he asked for updates throughout March, he received, as he said, “radio silence.” 

He confirmed that the security issues he brought to Cerca’s attention “have since been patched,” but that Cerca’s lack of communication with him or, seemingly, with its user base, points to a more widespread, and pervasive, problem in the industry. 

“Too few people know how to make secure apps — and the rush to market puts consumers at risk,” he said. 

When dating apps purport to be “safe,” users typically take them at face value. “If someone with malicious intent got their hands on this info, it could lead to identity theft, stalking, blackmail — you name it,” he said. “People need to prioritize securing user data, not just shipping an app they think can go viral.” 

Cerca Fixed The Issues, But Has Not Informed Users 

Cerca acknowledged that a “good-faith researcher” informed its developers of security risks and that they “took immediate steps to address it,” including connecting with a cybersecurity firm to keep them abreast of glitches and security leaks. 

The dating app also claimed it found “no evidence to indicate that any other unauthorized party has accessed user data for the entire life of our company.” The Yale Daily News asserts that Cerca has not told its users about the security breach Schapiro discovered. 

Much like Cerca’s creators, Myles Slayton and Willy Conzelman, seniors at Georgetown University, the app’s life has just begun: it debuted in early 2025. It already claims to have over 10,000 users affiliated with multiple colleges and universities. On Cerca, users can only match with someone with whom they share a contact. 

“Cerca is a dating app designed to discreetly connect people within their existing social circles, offering a safe, intimate, and ‘initially anonymous’ dating environment,” according to the app’s Apple Store description. “Cerca’s anonymity is key — names will only be revealed when you match.”

Cerca was seemingly created to make dating apps safer for college students — “Cerca, through its social network, adds a layer of protection, confidence, and social accountability,” the app claims. But Schapiro’s findings prove how slippery cybersecurity can be in the modern world. 

When Startups Juggle Enthusiasm and Inexperience 

A young person’s fresh perspective, innovative ideas, and technological intuition may come at an unexpectedly simple price: Inexperience leads to mistakes. And when companies are dealing with sensitive user information, mistakes can have devastating consequences. 

One such potential consequence: Yale Law School resident fellow Dr. Maria Angel Arango told the Yale Daily News that Cerca’s silence following the data breach may have legal repercussions. 

“Every U.S. state, including D.C., has its own data breach notification law,” she said. “If Cerca’s data breach affected people in multiple states, they may need to comply with multiple state laws simultaneously.” 

When dating app startups are created in college dorm rooms, people get excited about the future of the dating app industry. But Schapiro said these startups should also generate a fair amount of skepticism, especially among their own developers. 

“You can’t expect all users to do the checking that I did in this article,” Schapiro wrote in his blog post. “Who knows how many people already had access to all this data before I found it?” 

Cerca has not publicized further comments on the security leak or confirmed whether users have been notified.