Key Takeaways

Matters of the heart are usually kept between two people — until they aren’t. 

Thousands of people experienced this for themselves when their highly-sensitive content, including passwords, public posts, and private photos sent through direct messages, were recently leaked from several Apple iOS dating and relationship apps. 

By “dating apps,” we don’t mean Tinder or Hinge. Some of the apps involved in the info leak are more controversial, including BDSM People and CHICA, a sugar dating app. 

PINK, BRISH, and TRANSLOVE, all dating apps catering to the LGBTQ+ community, were also involved in the leaks, sparking concerns for the safety of queer users in LGBTQ+ unfriendly areas. 

Cybernews reports that about 1.5 million user images, including profile verification images and images removed for violating photo guidelines, were left unprotected by the apps they were uploaded to. 

These apps all share the same parent company, M.A.D. Mobile Apps Developers Limited, which raises further questions about how the company plans to keep its users — and their sensitive info —- safe. 

How Did This Happen?

After a massive investigation, Cybernews discovered that private user data, also known as “user secrets” because of their confidential nature, was exposed in the apps’ source codes. Passwords, encryption keys, and API keys are just a few secrets that could seriously threaten the user’s security if they end up in unauthorized hands. 

As part of its investigation, Cybernews analyzed 156,000 iOS-exclusive apps and found that 71% had at least one piece of sensitive user data exposed in their code. 

Cybernews found that Google Cloud Storage buckets that aren’t password protected are particularly vulnerable to bad actors. They often contain private photos that the user probably doesn’t want anyone but the original intended recipient to see. 

Because these secrets were exposed in the apps’ codes, they were completely unprotected — and accessible to anyone who knew what to look for. It’s the exact type of oversight that bad actors hope for. 

What’s The Danger? 

With this type of info leak, there’s more at risk than an embarrassing photo making the rounds on social media. For LGBTQ+ app users, leaked photos of a sexual nature could put them in serious danger, depending on their location and circumstance. 

According to Norman Shamas, a queer activist and security-and-privacy harm-reduction specialist, apps that cater to LGBTQ+ identities “act as a digital convening point for developing communities, exploring individual identities, and escaping heteronormative surroundings.” 

“The platforms can also afford a greater degree of anonymity for someone who wishes to remain in the closet in their public life,” they added. That is, until this anonymity is destroyed. 

TRANSLOVE, for example, is marketed as “a friendly and safe app for trans, queer, and all people looking for love, friendship, or just meaningful conversation,” but Cybernews found that the app’s lax security standards puts its users at risk. 

At best, TRANSLOVE’s users could be blackmailed out of their life’s savings. At worst, their identities could be uncovered, and they could be physically targeted by predators as a result. 

And just because the leaked info didn’t contain names or addresses doesn’t mean each user’s identity will remain hidden. On BDSM People, for example, 270,000 user profile pictures were leaked, and all it takes is a simple reverse image search for a fraudster to find their next victim. 

As the dating industry continues its war against romance scams, sexual exploitation, and blackmail, massive leaks like this only make it easier for bad actors to get ahead. 

“Con artists are present on most dating and social media sites,” according to the FBI, and they all look out for sensitive information that can make it easier to emotionally and financially manipulate people. 

As of writing, M.A.D. Mobile Apps Developers Limited has yet to comment on the leak.