The New York attorney general announced this week a settlement with the parent company of Jack’d, a dating app for gay and bisexual men, over negligence around a security issue that exposed nude and otherwise “private” photos of the platform’s users.
According to a Friday press release about the settlement, Online Buddies did not properly secure photos uploaded using Amazon Web Services Simple Storage Service (S3), leaving the images and other data vulnerable.
The company was initially informed last year by security researcher Oliver Hough of security flaws potentially capable of compromising Jack’d users’ personal data, Ars Technica reported in February, including both private photos as well as other personally identifying information such as device ID and location.
Despite these alerts, however, Online Buddies failed to act until after being contacted about the issue by members of the media, the press release said, and further failed to inform its users of the issue. Ars reported that a fix arrived more than three months after the outlet initially contacted the company’s CEO Mark Girolamo about the vulnerability in October of 2018.
New York Attorney General Letitia James said in a statement this week that the company knew of the issue and “didn’t do anything about it for a full year just so that they could continue to make a profit.”
According to figures cited by Online Buddies, Jack’d is used by more than 6 million men worldwide. Investigators estimated that of the app’s approximately 6,962 active New York users on Jack’d between February 2018 and February 2019, roughly 1,900 users on the platform during that time could have uploaded nude images.
“We apologize to our users for this flaw,” a spokesperson for Online Buddies told Gizmodo in a statement by email on Friday. “We worked closely with, and cooperated fully with, the New York Attorney General’s office in their investigation of this matter. With new leadership and stronger security measures in place, Jack’d users can continue to rely on the security of their personal data.”
Online Buddies will pay $240,000 to New York as part of the settlement, which also requires a significant overhaul of its security measures. The company did not respond to further questioning about specific steps it has since taken to ensure that a similar situation will not occur again in the future.
“This was an invasion of privacy for thousands of New Yorkers,” James said in a statement this week. “Today, millions of people across the country—of every gender, race, religion, and sexuality—meet and date online every day, and my office will use every tool at our disposal to protect their privacy.”