Multiple LGBTQ+ Dating And Kink iOS Apps See User Info Leaks

A major data leak has exposed sensitive user information from five iOS dating apps catering to the LGBTQ+, BDSM, and Sugar Daddy communities. Cybernews researchers discovered that these apps, all developed by M.A.D Mobile Apps Developers Limited, had left critical security credentials publicly accessible in their code. These exposed secrets granted access to a vast trove of user photos stored in unprotected Google Cloud Storage buckets.

Among the affected apps are BDSM People, Brish (a gay dating app), Chica (focused on Sugar Daddy dating), Pink (for lesbian users), and Translate (for transgender users). The scale of the breach is significant, with 1.5 million user-uploaded photos compromised, including private messages, profile verification images, and even photos that had been removed by moderators for violating platform rules.

BDSM People was particularly affected, with researchers gaining access to a data storage bucket containing 1.6 million files. This included 541,000 user-uploaded images, 90,000 chat photos, and 270,000 profile pictures. Chica’s data breach also exposed tens of thousands of images, including over 94,000 profile photos and thousands of private messages.

The security lapse raises concerns not only about privacy violations but also the potential for blackmail or other malicious activities. These apps are exclusive to iOS, and the problem isn’t specific to just these apps, but may actually be a larger problem that could be present in many apps across the App Store – meaning that there may be some major changes to app security in the coming months, especially within the dating and hookup space.