A sweeping investigation by cybersecurity researchers has uncovered a major privacy breach involving iOS dating apps catering to the BDSM, LGBTQ+, and sugar dating communities. The exposed data includes over 1.5 million user-uploaded images—some of them private, explicit, and shared via direct messages—posing serious risks to user safety and anonymity.

The apps—BDSM People, CHICA, TRANSLOVE, PINK, and BRISH—were found to contain publicly accessible secrets embedded in their app code. These “secrets” include credentials such as API keys, database URLs, storage bucket addresses, and client IDs, all of which were left unencrypted within the applications developed by M.A.D Mobile Apps Developers Limited.

Researchers from Cybernews, who conducted a large-scale audit of over 156,000 iOS apps, found that the leaked credentials provided open access to Google Cloud Storage buckets used by these apps to store user images. Critically, these buckets were not password-protected, making the data accessible to anyone with the URLs or tools to extract them.

Among the exposed content:

BDSM People – Kinky Fetish Dating

• 1.6 million files, over 128GB of data
• 541,000 user-submitted images
• 90,000 photos from private user chats
• 270,000 user profile images
• 28,000 profile verification photos

CHICA – Selective Luxy Dating

• 133,000 user images, totaling 45GB
• 2,200 chat images
• 94,000 profile photos
• 23,000 profile verification images

Three LGBTQ+ dating apps—TRANSLOVE, PINK, and BRISH—were also found to be leaking user data, with private photos stored in the same insecure architecture, exposing members of an already vulnerable community.

While the storage buckets did not explicitly reveal names or contact details, security experts warn that reverse image search and open-source intelligence (OSINT) techniques could easily link the photos to real-world identities. The implications are particularly severe for users in countries where LGBTQ+ status or sexual practices may be criminalized, leaving them at risk of harassment, extortion, or persecution.

“This is a catastrophic breach of user trust, particularly given the sensitive nature of these platforms,” said a spokesperson from Cybernews. “The apps promised security and discretion, but failed their users on both counts.”

Despite the severity of the findings, M.A.D Mobile Apps Developers Limited has not responded to repeated requests for comment. The apps are exclusively available on Apple’s iOS platform, with no Android or web-based versions, potentially implicating Apple’s app review process for failing to catch the embedded credentials.

Cybernews reported that 71% of iOS apps they analyzed leaked at least one secret, with the average app exposing over five.

In the case of these dating apps, the scale and sensitivity of the leak have triggered renewed calls for stricter vetting of apps and stronger enforcement of data privacy standards on mobile platforms.

The breach underscores the risks of hardcoding sensitive credentials in client-side applications and highlights the ongoing vulnerabilities in dating and social platforms that handle intimate user data.

For users of these apps, the exposure may lead to serious consequences far beyond digital inconvenience.

This hack is a perfect example of what we can look forward to as new age verification laws come into play. It’s not a matter of IF your data will be exposed, but when.