Report: Breach Exposes 100,000+ Users on Niche Dating Apps

Led by Noam Rotem and Ran Locar, vpnMentor’s research team discovered a data breach exposing incredibly sensitive images from numerous niche dating and hook up apps.

The apps were built for people with alternative lifestyles and particular tastes, such as ‘Cougars,’ queer dating, fetishes, and group sex. At least one app was dedicated to people with STIs, such as herpes.

Based on our research, the apps share a common developer. As a result, user media from each app had been stored on a single Amazon Web Services (AWS) account.

Aside from exposing potentially millions of users of the apps to danger, the breach also exposed the various apps’ entire AWS infrastructure through unsecured admin credentials and passwords.

Data Breach Summary

Apps 3somes, CougarD, Gay Daddy Bear, Xpal, BBW Dating, Casualx, SugarD, Herpes Dating
Headquarters/Location China and USA
Industry Dating Apps
Total size of data in gigabytes 845 GB
Total number of files 20,439,462
No. of people exposed Estimated to be 100,000s
Geographical scope US and other countries
Types of data exposed Photos, incl. many of a graphic, sexual nature; Screenshots of private chats and financial transactions; Audio recording; Limited PII data
Potential impact Fraud, doxing, blackmail, extortion, viral attack, and hacking
Data storage format AWS S3 bucket

Overview of Apps Affected

The misconfigured AWS account contained data belonging to a wide selection of niche and fetish dating apps.

These included:

Based on our research, it appears the apps share a common developer, for the following reasons:

  • Gaydaddybear.com is hosted on the same AWS account as Ghuntapp.com
  • Similar branding, web design, logos across multiple app websites
  • Some of the apps list “Cheng Du New Tech Zone” as a developer on Google app store

The similarities in design for many of the apps are evident on their websites:

big beautiful women dating app website

herpes dating app website

sugar d dating app website

Timeline of Discovery and Owner Reaction

Sometimes, the extent of a data breach and the owner of the data are obvious, and the issue quickly resolved. But rare are these times. Most often, we need days of investigation before we understand what’s at stake or who’s exposing the data.

Understanding a breach and its potential impact takes careful attention and time. We work hard to publish accurate and trustworthy reports, ensuring everybody who reads them understands their seriousness.

Some affected parties deny the facts, disregarding our research, or playing down its impact. So, we need to be thorough and make sure everything we find is correct and accurate.

In this case, the files from each app were stored on a misconfigured AWS S3 bucket, in a single, shared AWS account. The S3 buckets were named after the dating app from which they originated. We initially only reached out to one – 3somes – to present our findings.

3somes quickly replied, asking for additional details about the breach. We responded by providing the URL of their misconfigured bucket and mentioned that other buckets owned by their apparent sister companies were open too (without saying which ones).

While we didn’t receive any further communication, the same day, all the buckets belonging to every other app were also secured, confirming our assumption about the common developer.

  • Date discovered: 24th May 2020
  • Date 3somes contacted: 26th May 2020
  • Date of Response: 27th May 2020
  • Date of Action: 27th May 2020

Example of Data Entries

The combined S3 buckets contained an enormous amount of data, with over 20 million files totaling 845 gigabytes.

The files were incredibly sensitive, uploaded from user accounts, and exposing details of user profiles and private conversations happening on the apps.

These included media files, such as:

  • Images and photos
  • Voice messages and audio recordings

Among the images and photos from users, the S3 buckets also contained screenshots that revealed a massive amount of sensitive information. These included:

  • Private chats between users
  • Evidence of financial transactions between users
  • Thank you messages to sugar daddies

While the S3 buckets didn’t contain any Personally Identifiable Information (PII) data, many of the media files, directly and indirectly, exposed various forms:

  • Photos with faces visible
  • Users’ names
  • Personal details
  • Financial data

For ethical reasons, we never view or download every file stored on a breached database or AWS bucket. As a result, it’s difficult to calculate how many people were exposed in this data breach, but we estimate it was at least 100,000s – if not millions.

The following images were taken from S3 buckets belonging to various apps on the AWS account. They have been edited to maintain users’ privacy.

photo of thank you message for sugar daddy app

Xpal profile photo

sugar daddy dating app private message

dating app profile photo

sugar daddy dating app profile photo

dating app private chat screenshot

mans dating app profile photo

sugar daddy payment transaction

Data Breach Impact

While data from dating and hookup apps are always sensitive and private, the users of the apps exposed in this data breach would be particularly vulnerable to various forms of attack, bullying, and extortion.

While the connections being made by people on ‘sugar daddy,’ group sex, hook up, and fetish dating apps are completely legal and consensual, criminal or malicious hackers could exploit them against users to devastating effect.

Using the images from various apps, hackers could create effective fake profiles for catfishing schemes, to defraud and abuse unwary users.

Any exposed PII data creates much more significant risks to users. Given the nature of many of these apps – in some cases involving financial transactions, fetishes, and STIs – having your presence on the app made public could create immense stress in your personal life.

Aware of this, hackers could use images containing PII to find users on social media and threaten to ‘expose’ their activities in public, to friends and family. Unfortunately, this type of blackmail and extortion could prove incredibly profitable.

With so many users from each app exposed in the data breach, criminals would only need to convince a small number of people to pay them for a blackmail and extortion scheme to be successful.

In doing so, they could destroy many people’s relationships and personal and professional lives.

Advice from the Experts

The developers of the dating apps could have easily avoided this breach if they had taken some basic security measures to protect the data exposed. These include, but are not limited to:

  1. Securing its servers.
  2. Implementing proper access rules.
  3. Never leaving a system that doesn’t require authentication open to the internet.

Any company can replicate the same steps, no matter its size.

For a more in-depth guide on how to protect your business, check out our guide to securing your website and online database from hackers.

Securing an Open S3 Bucket

It’s important to note that open, publicly accessible S3 buckets are not a flaw of AWS. They’re usually the result of an error by the owner of the bucket. Amazon provides detailed instructions to AWS users to help them secure S3 buckets and keep them private.

In the case of the dating apps, the quickest way to fix this error would be to:

  • Make the bucket private and add authentication protocols.
  • Follow AWS access and authentication best practices.
  • Add more layers of protection to their S3 bucket to further restrict who can access it from every point of entry.

For App Users

If you use any of the apps featured and are concerned about how this breach might impact you, contact the developers directly to find out what steps they’re taking to protect your data.

To learn about data vulnerabilities in general, read our complete guide to online privacy.

It shows you the many ways cybercriminals target internet users, and the steps you can take to stay safe.

How and Why We Discovered the Breach

The vpnMentor research team discovered the breach in dating apps’ AWS account as part of a huge web mapping project. Our researchers use port scanning to examine particular IP blocks and test different systems for weaknesses or vulnerabilities. They examine each weakness for any data being exposed.

Our team was able to access this bucket because it was completely unsecured and unencrypted.

Whenever we find a data breach, we use expert techniques to verify the owner of the database.

As ethical hackers, we’re obliged to inform a company when we discover flaws in their online security. We reached out to the developers, not only to let them know about the vulnerability but also to suggest ways in which they could make their system secure.

These ethics also mean we carry a responsibility to the public. Users of the apps must be aware of a data breach that exposes so much of their sensitive data.

The purpose of this web mapping project is to help make the internet safer for all users.

We never sell, store, or expose any information we encounter during our security research.

About Us and Previous Reports

vpnMentor is the world’s largest VPN review website. Our research lab is a pro bono service that strives to help the online community defend itself against cyber threats while educating organizations on protecting their users’ data.

Our ethical security research team has discovered and disclosed some of the most impactful data leaks in recent years.

This has included an enormous data leak exposing credit cards, government IDs, and more belonging to millions of US citizens. We also revealed that a popular online learning platform compromised the privacy and security of people across the globe. You may also want to read our VPN Leak Report and Data Privacy Stats Report.

Editor’s Note: An earlier version of this report listed Casualx, linked back to the suspected website for the app. However, As we cannot confirm the connection between the Casualx and the listed website directly, we have removed the link. Additionally, the original text contained a typo, listing Cougary, rather than CougarD, as one of the apps involved in the data breach.

[Publication date: 15th June 2020]

Privacy Alert!

You are exposing yourself to the websites you visit!

Your IP Address:

Your Location:

Your Internet Provider:

The information above can be used to track you, target you for ads, and monitor what you do online.

VPNs can help you hide this information from websites so that you are protected at all times. We recommend NordVPN — the #1 VPN out of over 350 providers we've tested. It has military-grade encryption and privacy features that will ensure your digital security, plus — it's currently offering  68% off.

Visit NordVPN

Was this helpful? Share it!
Did you like this article? Rate it!
I hated it! I don't really like it It was ok Pretty good! Loved it!
Voted by Users
Comment Comment must be from 5 to 2500 characters long.
Thank you for your feedback
Nord is offering 68% off their VPN for a limited time!