LGBTQ dating app Jack’d must cough up a $240,000 fine and “make substantial changes to improve security” on the heels of a security faux pas that leaked the private data – including nude photos – of thousands of its users.
Jack’d is a popular location-based app that caters to gay and bisexual men, which said it has more than 5 million users globally. The app’s parent company, Online Buddies, came under fire – and a subsequent investigation by the New York State Attorney General’s office – after reports emerged in February 2019 that it had left images of almost 2,000 users exposed via an insecure Amazon Web Services Simple Storage Service (S3) bucket.
The exposed data included user profile photos, nude pictures and user locations – information that could potentially put users at risk of arrest in certain countries. Making matters worse, the investigation concluded on Friday that though the company’s senior management team had been notified of the exposure in February 2018 by security researcher Oliver Hough, who discovered the issue, the company did not fix the misconfiguration until a year later, after media reports began shedding light on the data incident.
When asked about the Friday fine imposed on the dating app, Hough told Threatpost: “I think the result was a great message to send out to companies who blatantly don’t take privacy seriously.” That said, “It would be nice to see researchers rewarded for honest good faith effort like in my case; I made a whopping €0 from the whole thing, but ended up putting a lot of time into it answering emails and phone calls from the DAs office,” he said.
The Jack’d app gave users the choice to post photos on a public page viewable to all users, or on a private page that is only viewable to those that the app user picks. On this private page, the app allowed nude photos with the promise to users that it took “reasonable precautions” to protect their personal information from unauthorized access.
Despite that, the investigation found that Online Buddies failed to secure the private photos and other data and instead left the data wide open for the taking in an open Amazon Web Services S3 bucket.
Data exposed also included Jack’d user’s device ID, operating system version, last login date and hashed password and when they last used the app.
Hough told Threatpost that there is no way for an external party to tell if anyone had accessed the data. Online Buddies did not respond to a request for comment from Threatpost.
The February 2019 data exposure disclosure resulted in a subsequent investigation, which resulted in the company having to pay up $240,000 and make significant changes to improve security.
“This app put users’ sensitive information and private photos at risk of exposure and the company didn’t do anything about it for a full year just so that they could continue to make a profit,” said Attorney General Letitia James in a statement last week. “This was an invasion of privacy for thousands of New Yorkers. Today, millions of people across the country — of every gender, race, religion, and sexuality — meet and date online every day, and my office will use every tool at our disposal to protect their privacy.”
Dating apps continue to come under increased scrutiny for the level of personal data collected from users. According to a recent report by ProPrivacy, dating apps like Match.com and Tinder collect location, chat message content and more personal data such as a history of recreational drug use, income level, sexual preferences, religious views and so on.
Meanwhile, other dating apps have gone through their own security issues. In February, a critical flaw was disclosed in the OkCupid app that could allow a bad actor to steal credentials, launch man-in-the-middle attacks or completely compromise the victim’s application; and also in February dating app Coffee Meets Bagel warned users that it had been hit with a data breach.