Vulnerability Exposed: 1.5 Million Private User Images from Dating Apps at Risk**

Mon Oct 20 2025 10:09:09 GMT+0300 (Eastern European Summer Time)

A significant breach has revealed that nearly 1.5 million private images, including explicit content, from various dating apps are stored unprotected online.**

Researchers uncovered a major security flaw affecting users of five dating apps linked to the kink and LGBT communities, raising concerns about potential hacking and extortion risks.**

Nearly 1.5 million private images from specialized dating apps are currently at risk after being discovered stored online without appropriate security measures, a breach that exposes users to potential hacking and blackmail. Researchers identified that multiple platforms developed by M.A.D Mobile, including kink site BDSM People and LGBT apps Pink, Brish, and Translove, were involved in this alarming incident.

The leak comprises explicit content utilized within the applications and affects an estimated user base of between 800,000 and 900,000. M.A.D Mobile was originally alerted to the vulnerability on January 20 but failed to resolve the issue until after inquiries from BBC World Service prompted a response last Friday. The company has since claimed to address the problem, yet no details were provided about how the breach occurred or the long duration of the oversight.

Ethical hacker Aras Nazarovas from Cybernews was instrumental in uncovering the security hole, initially gaining access to the unencrypted images simply by analyzing the application's coding. His findings included sensitive personal photographs, as well as images sent privately and those removed by moderators. Nazarovas expressed shock at the ease of access to such content, underscoring its potential impact on individuals who could become targets of malicious actors or be endangered in countries hostile towards the LGBTQ+ community.

While no text from private messages was exposed alongside the images, Nazarovas noted that it would still be very feasible for hackers to exploit this sensitive material for personal gain. M.A.D Mobile remarked on their appreciation for the researcher’s efforts in revealing the flaw to help prevent a broader breach. However, they did not respond to questions about their company location or the reason for their delayed reaction to multiple warnings.

In a somewhat unprecedented move, Nazarovas and his team chose to go public with the vulnerability while it was still active, out of concern for user safety. Such decisions pose a moral dilemma for security researchers, as they typically wish to close vulnerabilities before disclosing them to avoid further risks. This incident echoes historical breaches, reminiscent of the 2015 Ashley Madison data theft, highlighting ongoing vulnerabilities within the online dating sphere.