Key Takeaways
- A recent data breach at the dating app RAW exposed sensitive user information, such as sexual preferences and locations.
- The culprit was an IDOR bug, an avoidable flaw that allowed unauthorized access to sensitive user information.
- As data leaks pick up speed, daters value cybersecurity and safety more than ever.
TechCrunch recently uncovered a security breach on the dating app RAW that exposed sensitive user data, from birthdays and usernames to sexual preferences and street names.
“Your information is cloaked in encryption and guarded like a princess in a castle by our devs. We don’t sell or share your info in any way — your privacy is a promise we don’t break,” RAW claims on its site.
TechCrunch’s investigation revealed a different story.
“TechCrunch found no evidence that the app uses end-to-end encryption,” it noted. “Instead, we found that the app was publicly spilling data about its users to anyone with a web browser.”
RAW addressed the leak shortly after TechCrunch informed the dating app of its findings. “All previously exposed endpoints have been secured, and we’ve implemented additional safeguards to prevent similar issues in the future,” Marina Anderson, RAW’s co-founder, assured TechCrunch.
But this is only the latest in a series of security lapses on dating platforms.
Sensitive information was leaked from the dating app Cerca, as well as the platforms PINK, BRISH, and TRANSLOVE. These leaks naturally raise questions about how safe one’s personal information really is on dating apps.
RAW’s case in particular points to a growing issue in the world of dating apps: an inability — or a reluctance — for apps to take the necessary steps to keep users’ private information safe from bad actors.
Dating App Users Want To Know Their Private Info is Safe
According to TechCrunch, RAW’s data vulnerability was caused by an insecure direct object reference, also known as an IDOR bug. This type of bug allows unauthorized users to access sensitive user information simply by modifying, say, a user ID, even if they don’t have permission to view the data.
DatingNews spoke to our resident tech expert, HostingAdvice’s Jordan Sprogis, about how this problem occurred and why it’s seemingly so prevalent in the app industry.
“The IDOR bug that RAW experienced isn’t really unusual, but it should have been caught long before it was,” Sprogis told us. “Data vulnerabilities like this only prove that every business — not just the big players, like Tinder and Bumble — should already be prioritizing security.”
This is especially true if, like many dating apps, a company depends on users to input their personal information, such as their name, location, sexual preferences, and other identifying details.
“Hackers today are way too motivated to let these things go unchecked,” Sprogis said. “If there’s anything I’ve learned from today’s environment, cybersecurity should never come second.”
Jennifer Stisa Granick, surveillance and cybersecurity counsel, and Daniel Kahn Gillmor, a senior staff technologist, both of the American Civil Liberties Union, agreed that end-to-end encryption benefits the consumer and the app company.
“The global public wants strong cybersecurity protections, the ability to conduct private and intimate conversations without surveillance, and safety from abusive governments, retaliatory bosses, abusive partners, fraudsters, intrusive marketers, and criminals alike,” they wrote in a joint post.
Providing end-to-end encryption keeps the consumer’s sensitive information safe, which protects the app from the types of leaks that undermine trust and privacy. It makes the app feel like a safe space, which is vital for daters sharing their most sensitive information, such as their sexual preferences, fantasies, and location.
Safety is Usually a Dealbreaker
Dating app users take their safety seriously. There’s a reason why 57% of surveyed women reported feeling unsafe while online dating, according to a 2023 Pew Research survey. Too often, apps compromise security in an effort to cut corners.
It’s partly why 49% of adults overall said they felt either not too safe or not at all safe when using online dating platforms.
Anderson told TechCrunch that RAW would “submit a detailed report to the relevant data protection authorities under applicable regulations,” but it’s unclear whether RAW has notified its own users about the data breach.
TechCrunch also reported that RAW hadn’t performed a third-party security audit, choosing instead to “focus … on building a high-quality product and engaging meaningfully with our growing community.”
Sprogis explained why this just doesn’t cut it in today’s digital world.
“It’s so easy to work with a third-party pentester,” she said. “They can catch issues your team may not have otherwise noticed and help fix them. There’s really no excuse for apps that collect personal and sensitive data, especially the kind that’s often mined, to skip that step.”
Authenticity is prized above all at RAW, but that doesn’t mean its users want everyone to know their private information. When it comes to safety, there’s so much more to lose. This is why app users depend on the dating app industry to stick to best practices to keep their personal information safe and sound.
