Aktuelles
1.5M private photos exposed from LGBTQ+, BDSM & sugar dating apps
March 2025 by CyberNews
The Cybernews research team has uncovered a massive privacy oversight: iOS dating apps catering to the LGBTQ+, BDSM, and sugar dating communities have leaked nearly 1.5 million private user photos – including explicit images sent in private messages.
Apps developed by M.A.D Mobile Apps Developers Limited, including BDSM People, CHICA, TRANSLOVE, PINK, and BRISH, were found exposing sensitive user data due to publicly accessible hardcoded secrets in their code.
This flaw allowed unauthorized access to storage buckets containing highly sensitive content, putting users at risk of extortion, social engineering attacks, and, in some cases, even persecution in countries where LGBTQ+ identities are criminalized.
Key takeaways:
• 1.5 million private images exposed, including verification photos, chat images, and moderator-removed content.
• BDSM People app alone leaked 541,000 private images, including 90,000 from direct messages.
• Sugar dating app CHICA leaked 133,000 photos, including private chats.
• Three LGBTQ+ dating apps exposed over 1.1 million images, with BRISH, PINK, and TRANSLOVE all compromised.
• Hardcoded API keys and storage credentials allowed full access to Google Cloud storage, requiring no authentication.
