By WILIAM HUNTER
Published: 11:22 EDT, 2 April 2025 | Updated: 13:04 EDT, 2 April 2025
A huge data breach has leaked over 50,000 profiles from the 'Gay Daddy' dating app, cybersecurity researchers have discovered.
The exposed data contains extremely sensitive information including users' names, ages, location data and HIV status.
According to experts from Cybernews, the exposed database also contains over 124,000 private messages and photos – many of which are explicit.
While the app markets itself as a 'private and anonymous community', researchers say the information could be accessed by anyone with 'basic technical knowledge'.
Researchers say the app's 'devastating' security failure puts its users at serious risk of blackmail, exploitation and even physical harm.
Since being alerted to the issue, the app's developer, Surendra Kumar, has fixed the leak but has not responded to requests for comment.
Aras Nazarovas, lead researcher at Cybernews, says: 'This is a textbook case of how poor security practices can put real people at risk.
'For an app promising anonymity, it's shocking to see how easily a user's private conversations, personal details, and even location data could be accessed.'
A huge data breach has leaked over 50,000 profiles from the 'Gay Daddy' dating app (pictured), cybersecurity researchers have discovered.
The 'Gay Daddy: 40+ Date & Chat' has been downloaded 200,000 times but appears to be maintained by a single individual. Experts say the app's security was so poor that users' data could be obtained by anyone with 'basic technical knowledge'
The app 'Gay Daddy: 40+ Date & Chat' offers its users the chance to 'Meet local Gay daddy, 40+ age, open minded Gay & Bisexual.'
The iOS App Store page adds that this is a 'private and anonymous community where local open minded Mature gay & bisexual meet each other.'
The app has been downloaded over 200,000 times but appears to be maintained by a single individual, Mr Kumar.
However, despite claiming that data was never shared with third parties, researchers found that users' information was extremely poorly protected.
Users' private data was stored using a system called Firebase, a tool developed by Google to make app development easier and streamline features like data storage and real-time chats.
Not only was the Firebase storage not password protected, but the information needed to find it was written in plain text directly into the app's publicly available code.
That means anybody who took the time to look at the app's code would be able to read users' messages, see their pictures and even access location data without difficulty.
Mr Nazarovas says: 'Users expect the app to be discreet, but it is completely the opposite.
The Gay Daddy app (pictured) left the information needed to access its storage database in its publicly accessible code. Anyone with this information could access all of its user's data, including private messages, photos, locations and profiles, including names, age, relationship status and even HIV status
This image shows the database which was unprotected and publicly accessible. On the left, you can read a private conversation between two of the app's users. On the right, you can read the details of several user profiles, including their names ages and HIV status
'This data leak compromises app users' security, allowing threat actors to read private messages and obtain contact lists and location data.
'Not only does this expose individuals to cyber threats, but also to risks of financial, psychological, and even physical harm, particularly given the prevailing stigmas surrounding homosexuality in certain countries.'
Likewise, in countries where homosexuality is illegal, this personal information could put users at serious risk of persecution.
At the time of discovery, the Firebase storage point was already leaking 50,000 user profiles but the researchers say a determined attacker could have caused much more damage.
Firebase is only meant to be used as temporary storage so older information is automatically deleted after it fills up.
That means an attacker could lurk on the database for a long time and slowly gather an even larger database about the app's users.
In addition to revealing the location of the Firebase storage, the app's code also contained sensitive technical information known as 'secrets' which could be used for even more exploitative attacks.
However, without confirmation from the app's sole developer, Mr Kumar, it is impossible to know whether anyone other than Cybernews' researchers has accessed this database.
At the time of discovery, the unsecured database was leaking 50,000 user profiles, but cybersecurity experts say a determined attacker could have obtained much more information. This puts the app's users at serious risk of blackmail, extortion and even physical harm
This comes after a Cybernews investigation revealed that 1.5million private photos had been leaked from BDSM and LGBT dating apps. This image (pixelated to preserve privacy) is one of those photos which were publicly available and totally unprotected
This comes after Cybernews revealed that almost 1.5million private photos, many of which were explicit, had been leaked from BDSM and LGBT dating apps due to a similar vulnerability.
Affected apps include the kink dating sites BDSM People and CHICA, as well as LGBT dating services PINK, BRISH and TRANSLOVE – all of which were developed by M.A.D Mobile.
In total, these leaky apps exposed the private information and messages of up to 900,000 users.
A spokesperson for M.A.D Mobile told MailOnline that this critical security flaw had likely been caused by a 'simply human error'.
Worryingly, Cybernews research shows that this kind of security flaw may be shockingly common in the Apple App Store.
The researchers downloaded 156,000 iOS apps, about eight per cent of the App Store, and found that a vast majority had the same security issue.
Of the apps analysed, 7.1 per cent leaked at least one piece of technical information or 'secret', with the average app exposing 5.2 secrets.
### HOW TO CHECK IF YOUR EMAIL ADDRESS IS COMPROMISED
Have I Been Pwned?
Cybersecurity expert and Microsoft regional director Tory Hunt runs 'Have I Been Pwned'.
The website lets you check whether your email has been compromised as part of any of the data breaches that have happened.
If your email address pops up you should change your password.
Pwned Passwords
To check if your password may have been exposed in a previous data breach, go to the site's homepage and enter your email address.
The search tool will check it against the details of historical data breaches that made this information publicly visible.
If your password does pop up, you're likely at a greater risk of being exposed to hack attacks, fraud and other cybercrimes.
Mr Hunt built the site to help people check whether or not the password they'd like to use was on a list of known breached passwords.
The site does not store your password next to any personally identifiable data and every password is encrypted
Other Safety Tips
Hunt provides three easy-to-follow steps for better online security. First, he recommends using a password manager, such as 1Password, to create and save unique passwords for each service you use.
Next, enable two-factor authentication. Lastly, keep abreast of any breaches