Dating App Bug Leaves 1.5M Sensitive Photos 'Publicly Accessible to Anyone' (2025)

Over 1.5 million user photos collected by dating apps available on the iOS App Store, mainly catering to the LGBTQ+, BDSM, and “sugar dating” communities, have been compromised, according to a new report.

Data that was left "publicly accessible to anyone" included explicit content sent between users via direct messaging, as well as profile photos, public posts, profile verification images, and photos removed due to rule violations, Cybernews reports. Affected apps include SM People, Chica, Translove, Pink, and Brish. All the apps were developed by M.A.D. Mobile Apps Developers, a UK-based company.

Cybernews says its researchers "downloaded 156,000 iOS apps, around 8% of all apps on the Apple Store [and] discovered that app developers are leaving plaintext credentials in the application code accessible to anyone."

In the case of BDSM People, researchers think this app alone leaked 541,000 private images, including 90,000 from users' direct messages. Meanwhile, the sugar dating app Chica is thought to have leaked 133,000 photos, including private chats.

M.A.D. Mobile Apps Developers have yet to officially comment on the news.

Cybernews's research suggests that this type of data leak could put users at significant risk further down the road. “With homosexuality being illegal in some countries, the leak could put app users at high risk of persecution,” said the report, emphasizing how sensitive images of this type can be used for extortion, social engineering, and attempts to damage a person’s professional reputation.

Researchers outlined how the necessary credentials to access sensitive data were stored in the code of the apps themselves, which could then have been used to find images stored externally in other locations (all the dating apps shared the same basic architecture). Even if the images didn't have names or registration emails attached, the researchers noted how techniques like reverse image search could be used to identify the people in the pictures.

Dating app breaches can have big consequences for those involved. Ashley Madison, a dating site for extramarital affairs, was hit by a data breach in 2015, which resulted in the personal data of 32 million users being leaked by a hacking group. As a result, several cases of blackmail and extortion were reported, and two suicides were even linked to the case.

The LGBTQ+ community has been hit hard before by data leaks. In 2021, it was revealed that the gay dating app Grindr shared sensitive user data, including HIV status and GPS location data, with third-party companies back in 2018. In 2023, some mobile tracking data from Grindr waspurchased by a conservative Catholic group in Colorado, which used it to identify gay priests across the US.