Brazilian Lesbian Dating App Sapphos Shuts Down After Security Flaw

A brand new Brazilian dating app tailored for lesbian users, Sapphos, has ceased operations after researchers flagged a critical security vulnerability capable of exposing highly sensitive user data. The app, which had only launched in early September, required identity verification via a selfie paired with a Government-issued ID – but it lacked basic API protections necessary to safeguard those assets.

Independent cybersecurity researchers identified an insecure direct object reference (IDOR) within the platform’s API, which allowed unauthorized users to access identity verification selfies and personal data such as names and birthdays from other users. Despite initial denials by the developers, screenshots shared by the researchers contradicted claims that no personal data had been compromised.

In response, the women-led development team took the app offline “to focus on cybersecurity,” removed the user database, and notified approximately 17,000 users that their data had been erased. Premium subscribers—who paid up to 500 reais (around £68 GBP or $91 USD) – received refunds. The app remains offline as Sapphos intends to resume operations only after a comprehensive overhaul, including improved cybersecurity protocols and restructured development processes.

Sapphos initially portrayed the incident as a malicious attack, hinting it was orchestrated by “a group of men.” However, the company later conceded that it stemmed from an oversight and confirmed it had filed complaints with Brazil’s cybercrime authorities. The team also pledged to rebuild the platform from scratch with robust security measures and a larger development team.