Massive Data Breach Exposes 1.5 Million Photos from Dating Apps on iOS

A recent investigation has uncovered a major security lapse affecting over 1.5 million user photos from dating apps available on Apple’s iOS App Store. The exposed data primarily comes from apps serving the LGBTQ+, BDSM, and sugar dating communities, raising serious privacy concerns.

Sensitive User Data Left Unprotected

According to Cybernews, explicit photos exchanged through direct messages, profile pictures, public posts, and even images removed for policy violations were left publicly accessible. The affected apps include SM People, Chica, Translove, Pink, and Brish—all developed by UK-based M.A.D. Mobile Apps Developers.

Security researchers from Cybernews found that developers had stored plaintext credentials directly in the application code, making them easily retrievable. The team analyzed 156,000 iOS apps—roughly 8% of all apps on the App Store—and discovered that many developers fail to properly secure sensitive data.

Scale of the Leak

One of the most severely impacted apps, BDSM People, is estimated to have exposed 541,000 private images, including 90,000 photos from user messages. Meanwhile, the sugar dating app Chica reportedly leaked 133,000 images, some of which came from private conversations.

As of now, M.A.D. Mobile Apps Developers has not released an official statement regarding the breach.

Risks to Users

Cybernews warns that this type of data exposure could have serious consequences. In regions where homosexuality is criminalized, affected users could be at risk of persecution. Additionally, leaked intimate images could be exploited for blackmail, social engineering, or professional sabotage.

How Was the Data Accessed?

Researchers identified that credentials stored in the app code allowed them to locate externally hosted images. Since all the affected apps share a common architecture, the same security flaws made it easy to access images across multiple platforms. Even though the leaked photos were not directly linked to usernames or emails, they could still be traced back to individuals through reverse image searches.

A History of Dating App Breaches

This incident is not the first time dating apps have been caught mishandling sensitive data:

Ashley Madison Breach (2015): The extramarital affair site suffered a massive breach that exposed 32 million users, leading to cases of blackmail, extortion, and even suicides.
Grindr Data Scandals:
- In 2018, Grindr was found to be sharing user data, including HIV status and GPS locations, with third-party companies.
- In 2023, a conservative group purchased mobile tracking data from Grindr and reportedly used it to identify gay priests in the U.S.

With dating app security failures repeatedly putting users at risk, experts stress the importance of stronger data protection measures and responsible handling of sensitive user information.