What happened in the M.A.D Mobile dating app image breach - 1.5 million images exposed
In a serious privacy failure, nearly 1.5 million explicit and private images from five specialist dating apps were left openly accessible online. The data protection breach affects users of BDSM People, Chica, Pink, Brish, and Translove – all developed by M.A.D Mobile.
The images, many of which were of a highly sensitive and sexual nature, could be accessed without a password, encryption, or any form of authentication. In effect, anyone who knew where to look could have downloaded images that users believed were private, including pictures shared in private messages and those previously removed by moderators.
The breach was first discovered by ethical hacker Aras Nazarovas from Cybernews, who identified a publicly accessible online storage folder linked to the apps. He initially alerted M.A.D Mobile to the flaw on 20 January 2025, but the company failed to take remedial action. Only after the BBC contacted the firm on 28 March did M.A.D Mobile finally secure the images.
The company has issued a short statement thanking the researcher for preventing “a data breach from occurring” but has not explained why it failed to act on the earlier warnings. This delay has heightened concerns that other malicious actors may have already accessed the content before the issue was fixed.
The exposed images were not linked to usernames or real names, but the nature of the photographs, and the communities involved, mean affected users could still be identifiable and vulnerable to blackmail, reputational harm, and personal distress. As the affected platforms include apps used predominantly by LGBTQ+ users and those engaged in kink and alternative lifestyles, there are particular concerns for people living in communities hostile to such identities.
Will there be an investigation into the M.A.D Mobile security failure?
The UK’s data protection watchdog, the Information Commissioner’s Office (ICO), has not yet commented on whether it will investigate the data protection failure. However, under the UK GDPR, organisations are required to implement appropriate security measures, especially when processing highly sensitive personal data.
Individuals affected by this breach may be entitled to seek compensation under data protection laws.
If you have used one of the affected platforms, your information may have been exposed without your knowledge – even if your account has since been deleted.
We will continue to provide updates as the situation develops.
Join the Claim connects consumers with SRA-regulated lawyers. Visit the claim page to check your eligibility if a claim is open with one of our trusted legal partners. If a group action has not yet been launched, you can register your interest and we’ll keep you informed if a partner firm decides to take a claim forward.
