A serious data leak has been discovered in Headero, a hookup app used mostly in queer and alternative dating communities. According to a new report by Cybernews, the app exposed over 4 million private records, including explicit messages, GPS locations, and even the STD status of users.
Cybernews researchers found the exposed data sitting in an unprotected MongoDB database. This included 352,081 user records, 3,032,001 private chats, and 1,096,904 group chat logs
The leaked information contained Names, email addresses, Social login IDs, JWT tokens, device tokens, Exact GPS coordinates, Profile photos, Sexual preferences, and STD status
This kind of data exposure is especially dangerous for people in vulnerable communities who rely on such apps for safe and private dating.
Read: Best Dating Apps in India
The leak happened due to a common but dangerous mistake: the app’s database was left open to the internet without proper authentication. While the developers claimed it was just a test server, Cybernews believes it may have been actual live user data.
Once notified, the developers quickly secured the exposed database. However, it is unclear whether any hackers or malicious actors accessed the data before it was locked down.
The Headero app is listed on the Google Play Store and is published by a U.S.-based company called ThotExperiment. The app allows users to create customized profiles, filter matches based on location, and send direct messages.
This is not the first time dating apps have leaked sensitive data. Cybernews has previously reported similar issues with other dating platforms, including apps used in BDSM, LGBTQ+, and sugar dating communities. In one case, nearly 1.5 million private images were left accessible to the public, including images from direct messages.
If you have used Headero, here are some steps to protect yourself. You should change your Headero password immediately and do not reuse passwords across platforms. If you were using the same password in any other platform, change the password there as well. Check app permissions and revoke tokens if needed. You should also avoid clicking on suspicious emails or messages. Watch out for fake profiles or unusual login activity.
Even though the database is now secured, the risk remains if bad actors accessed the data while it was exposed.
Read: How to stay safe while using online dating apps
