Brazil lesbian dating app shuts down after security flaw exposes sensitive user data
A Brazilian dating app marketed as a safe space for lesbian women shut down this week after several users uncovered a flaw that reportedly could expose sensitive data, including identity verification photos.
Sapphos, which launched in early September, required users to verify their identity by submitting a selfie holding a government-issued ID. But on Monday, independent researchers revealed that the app’s application programming interface (API) reportedly contained a flaw that allowed outsiders to retrieve photos and personal details from other users’ accounts without authorization.
The users who discovered the vulnerability shared their findings on X, with one claiming they could “grab all the photos” from the app’s database, including names, birthdates and ID verification selfies. One of the researchers said his intention was not to harm users but to warn the company about the flaw, classified as an insecure direct object reference (IDOR) vulnerability.
Screenshots posted on social media contradicted Sapphos’ initial statement that no verification documents had been exposed. Facing mounting criticism, the developers — who described themselves as a small, women-led team — said they had taken the app offline “to focus on cybersecurity” and deleted the entire user database.
Roughly 17,000 users were notified by email that their data had been erased, and refunds were issued for premium subscriptions that cost up to 500 reais (about $90).
In a series of statements, Sapphos initially characterized the disclosure as an “attempted attack by malicious actors,” at one point suggesting it had been orchestrated by a group of men. The developers later acknowledged a security oversight, saying they had filed complaints with Brazil’s cybercrime police and pledged to relaunch with stronger safeguards.
“We all want a safe space to connect,” the company said. “Before this leak, we were already ensuring diverse connections within the sapphic community.”
As of Tuesday, the Sapphos app remains offline. The developers promised to “restructure from scratch,” expand their team, and subject the project to more rigorous security testing before any relaunch.
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.