1.5 Million Privacy Violations: Intimate Images from Kink & LGBTQ+ Apps Left Exposed
A cybersecurity researcher discovered that five iOS-only dating apps—BDSM People, Chica, Pink, Brish, and Translove—all developed by UK-based M.A.D. Mobile, left nearly 1.5 million images publicly accessible without any password protection. The exposed files included content from private message threads, profile verifications, moderator-removed photos, and user posts.
🧩 Who Was Impacted & Why It Matters
These apps cater to kink, sugar dating, queer, trans, and LGBTQ+ communities—often in countries where non-heteronormative identities remain criminalized or socially stigmatized. Leaked images could potentially out users, putting them at risk of social backlash, legal persecution, financial extortion, or blackmail.
⚠️ How the Leak Happened: Secrets in the Code
The root cause? API credentials and encryption keys hardcoded in app source files — known as “secrets” — enabled attackers to locate and access Google Cloud buckets containing sensitive data. No authentication or encryption stood in the way.
⏳ Delay in Fixing: Months of Exposure
M.A.D. Mobile was alerted to the vulnerability on January 20, but took no action until March 28, only after researchers made the issue public. That two-month window left users’ images exposed to anyone probing unprotected storage servers.
🔒 Fallout & Implications
Cybersecurity experts warn of grave impacts:
Identity risk: No usernames were attached, but face-recognition tools and reverse-image searches could still expose individuals.
Blackmail potential: The cache of images offers fuel for extortion, especially targeting closeted or prominent users.
Emotional trauma and social jeopardy: The scale and sensitivity of the data magnify the emotional harm for victims of image-based sexual abuse (IBSA), which disproportionately affects LGBTQ+ people.
Malign actors can deploy scraped images in real-time feeds for social engineering or to wage coordinated harassment campaigns.
🧪 Broader Context: Dating Apps Are Prize Targets
This isn’t an isolated incident. Bedding real, intimate data in apps without proper security is a known trend:
Explicit content leaks from platforms like Ashley Madison and Adult FriendFinder exposed millions of private details, triggering suicides, scandals, and legal fallout.
Surveys estimate 22.6% of adults globally experience IBSA—or image-based sexual abuse—a crime with chilling psychological impacts, especially among LGBTQ+ communities.
✅ What Should Change: Best Practices Moving Forward
For App Developers
Secure cloud buckets with authentication and encryption
Avoid embedding sensitive credentials in client apps
Regularly conduct audits and penetration tests to detect vulnerabilities
Provide timely patching and transparent user communication
For Users
Stick to apps with strong privacy reputations
Avoid sending explicit content if you're not fully confident in the platform
Reverse-image search any intimate material before sharing
Monitor your digital reputation and act quickly if you suspect data leakage
🧭 Final Word: A Devastating Breach of Trust
This data breach shattered the safety net of trusted spaces for marginalized communities—places meant to offer discretion, connection, and consent. The leak underscores a stark reality:
When platforms promise anonymity and security yet fail to enforce it, the lives and dignity of users are at stake.
Trust is not just a feature—it’s a lifeline. Let’s hold platforms accountable so intimate content remains private, consensual, and safe—not public fodder.
