Gay dating app fined $240,000 for leaking nude and private photos

Maker of Jack'd gay dating app left users' private photos online for a year without doing anything, despite report.

Jackd app

Image: Online Buddies, Inc.

The maker of a gay dating app has been fined $240,000 in New York after the company failed to respond to a vulnerability report and left its customers' private photos available online for over a year.

The fine was announced on Friday by the Office of New York Attorney General Letitia James. According to the settlement between the app maker, Online Buddies, Inc., and the New York officials, the company must also "make substantial changes to improve security."

Dating app leaked photos for a year

New York officials said they started an investigation into the company after several press reports about the data leak in February.

At the time, tech news sites like the BBC, Ars Technica, and The Register, ran stories about a security researcher's findings who found nude and private photos on an AWS S3 server left exposed online without a password or any other security mechanism.

The researcher, named Oliver Hough, tracked the photos to Online Buddies and its Jack'd mobile dating app that catered to gay and bisexual men.

Hough notified Online Buddies in February 2018, but the app maker only acknowledged the report without doing anything.

The company's S3 server contained photos Jack'd users had uploaded to the app. Some were public photos made available through their profiles, but others were also private photos, which users only selectively shared with other users via a private space.

Some of these private photos included nudes and sexually explicit imagery.

Company misled app users about their privacy

The Office of New York Attorney General said they fined the app maker for misleading users that their photos would remain private and that the app would prevent unauthorized access to their private photos.

"Online Buddies specifically violated the trust of its customers by breaking the app's user privacy policy, which says the company takes 'reasonable precautions to protect personal information from...unauthorized access [or] disclosure'," the New York Attorney General said in a press release on Friday.

New York officials said they also confirmed press reports that the company received Hough's report but chose to ignore it for more than a year.

"During the period that Online Buddies knew about the vulnerabilities but had not yet fixed them, the company also failed to implement any stopgap protections, establish logging to detect any unauthorized access, warn Jack'd users, or change representations about the privacy of their private photos and the security of their personally identifiable information," officials said.

More data breach coverage: