Urgent warning as 1.5 MILLION private photos are leaked from BDSM dating apps - so, have your sexy snaps been exposed?

Cybersecurity researchers have issued an urgent warning as almost 1.5 million private photos from dating apps are exposed.

Affected apps include the kink dating sites BDSM People and CHICA, as well as LGBT dating services PINK, BRISH, and TRANSLOVE - all of which were developed by M.A.D Mobile.

The leaked files include photos used for verification, photos removed by app moderators, and photos sent in direct messages between users - many of which were explicit.

These sensitive snaps were being stored online without password protection, meaning anyone with the link could view and download them.

Researchers from Cybernews, who discovered the vulnerability, say this easily exploited security flaw put up to 900,000 users at risk of further hacks or extortion.

A spokesman for M.A.D Mobile told MailOnline they were 'confident that none of the images were downloaded by malicious actors' and that the issue has now been resolved.

However, the developer is still not entirely certain why such critically sensitive user information was left entirely unprotected.

M.A.D Mobile is 'currently conducting an internal investigation' but it believes the issue stemmed from 'a simple human error'.

Ethical hacker Aras Nazarovas, who discovered the security vulnerability, told MailOnline he was 'shocked' that such obviously private messages were publicly accessible.

The apps' publicly available code included what developers call 'secrets', things like passwords and encryption keys normally meant to remain hidden.

Surprisingly, these secrets also included the locations of unsecured online storage 'buckets' where over one million user photos were being held.

'Developers of the app had disabled built-in security features such as requiring authentication to access images stored within, additionally, there were no access controls in place for users to only be able to access images that they uploaded or received via private messages,' says Mr Nazarovas.

'Because of this, an attacker would only need to know the name of the bucket, which was hardcoded in the app, to access these images.'

For example, the secret left in the code of the app BDSM People allowed access to a storage bucket with 1.6 million files and over 128GB of data.

Among those files were 541,000 photos users had sent to each other or uploaded to the app, including a large number of explicit images.

Mr Nazarovas says: 'It is not surprising that dating apps may contain such messages especially ones sent in private messages between users - even more so when talking about apps specializing in “kinks”.

'However, my first reaction when I first investigated one of these apps was shock, as I wasn’t expecting to open a picture of a naked man.'

BDSM People alone has been downloaded over 200,000 times, indicating that a large number of people may have been affected.

Likewise, the app CHICA – Selective Luxy Dating, which specialises in connecting women with wealthy men, contained a link to a storage bucket containing 133,000 images of app users.

A number of apps catering to the LGBT community were also affected, including TRANSLOVE, PINK, and BRISH.

Collectively, these three apps left more than 1.1 million user pictures exposed.

Those included thousands of images which had been sent between users in private messages.

Although the images themselves do not contain any identifying information and are not linked to specific accounts, malicious actors could still uncover the individuals behind the images.

Mr Nazarovas says: 'Sensitive NSFW [Not Safe for Work] images are often used for blackmail purposes, as well as attempts at discrediting people in professional fields.

'In cases of LGBTQ+ apps that were affected, some of the users may not be public about their sexuality, and images of this nature being accessed by unauthorized parties can cause strong emotional responses.'

In countries where homosexuality is illegal, there is a risk that exposed users could face prosecution as a result of their identification.

M.A.D Mobile maintains that a mass download of user data by a malicious actor would have been noticeable on their servers and that this was not detected.

Worryingly, Cybernews research shows that these kinds of security flaws may be shockingly common on the Apple App Store.

The researchers downloaded 156,000 iOS apps, about eight per cent of the App Store, and found that a vast majority had the same security issue.

Of the apps analysed, 7.1 per cent leaked at least one 'secret' with the average app exposing 5.2.