The maker of a gay dating app has been fined $240,000 in New York after the company failed to respond to a vulnerability report and left its customers' private photos available online for over a year.
The fine was announced on Friday by the Office of New York Attorney General Letitia James. According to the settlement between the app maker, Online Buddies, Inc., and the New York officials, the company must also "make substantial changes to improve security."
Dating app leaked photos for a year
New York officials said they started an investigation into the company after several press reports about the data leak in February.
At the time, tech news sites like the BBC, Ars Technica, and The Register, ran stories about a security researcher's findings who found nude and private photos on an AWS S3 server left exposed online without a password or any other security mechanism.
The researcher, named Oliver Hough, tracked the photos to Online Buddies and its Jack'd mobile dating app that catered to gay and bisexual men.
Hough notified Online Buddies in February 2018, but the app maker only acknowledged the report without doing anything.
The company's S3 server contained photos Jack'd users had uploaded to the app. Some were public photos made available through their profiles, but others were also private photos, which users only selectively shared with other users via a private space.
Some of these private photos included nudes and sexually explicit imagery.
Company misled app users about their privacy
The Office of New York Attorney General said they fined the app maker for misleading users that their photos would remain private and that the app would prevent unauthorized access to their private photos.
New York officials said they also confirmed press reports that the company received Hough's report but chose to ignore it for more than a year.
"During the period that Online Buddies knew about the vulnerabilities but had not yet fixed them, the company also failed to implement any stopgap protections, establish logging to detect any unauthorized access, warn Jack'd users, or change representations about the privacy of their private photos and the security of their personally identifiable information," officials said.
More data breach coverage:
- Mermaids transgender charity data breach exposed confidential emails
- Data of 645k Oregonians exposed after 9 DHS employees fell for a phishing attack
- Contractor's AWS S3 server leaks data from Fortune 100 companies: Ford, Netflix, TD Bank
- NASA hacked because of unauthorized Raspberry Pi connected to its network
- Desjardins, Canada's largest credit union, announces security breach
- Hacker steals $4.5 million from Bitrue cryptocurrency exchange
- Facebook passwords by the hundreds of millions sat exposed in plain text CNET
- The largest cybersecurity breaches of the past three years TechRepublic