Millions of BDSM, LGBTQ+, and sugar dating users at risk

Researchers have uncovered a massive data leak from iOS dating apps: more than 1.5 million private photos, including intimate images from chats, were made public through improperly configured cloud storage. The leak affected users of BDSM People, CHICA, TRANSLOVE, PINK, and BRISH apps, who are particularly vulnerable due to their membership in marginalized communities.

Profile photos, private messages, images removed by moderators, verification photos, and content from public posts were exposed. The reason is that the developer, M.A.D Mobile Apps Developers Limited, stored API secrets, project IDs, and access keys directly in the app code. This allowed attackers to automatically connect to Google Cloud storage, which had no passwords or restrictions.

The risks for LGBTQ+ users are particularly highlighted, especially in countries where homosexuality is criminalized. Hackers can use leaks for blackmail, phishing, social engineering, and discrediting, even without an email or nickname — through OSINT methods such as reverse image search.

The study covered 156,000 iOS apps. All of the mentioned apps belong to the same developer, which explains the same architecture of the problem. Among the victims:

• BDSM People — more than 541 thousand photos were leaked, including intimate ones.
• CHICA — about 133 thousand photos, including from private chats.
• TRANSLOVE, PINK, BRISH — a total of tens of thousands of images from profiles, posts, and verifications.

Despite the lack of email addresses and nicknames, the photo leak poses real threats to the security, reputation, and privacy of users. The situation proves once again that code vulnerabilities are human vulnerabilities. Cybernews awaits a response from developers and urges Apple to pay attention to the App Store app review policy.

—

### SEO text (1 paragraph):