“Oral pleasure” app potentially leaks millions of messages and GPS locations

Last updated: 17 June 2025
Headero app private messages leak
Image by Cybernews.

An intimate dating app has leaked over four million private records – including exact GPS locations, sexual preferences, and explicit chats.

Key takeaways:
  • Researchers have uncovered a data exposure tied to Headero, a hookup app popular in queer and alternative dating circles.
  • Over four million private records were potentially found unsecured, including explicit chat logs.
  • After discovering the leak, Cybernews informed the app developers. The company instantly responded by securing access to user data.

Cybernews researchers have uncovered a massive data exposure tied to Headero, a hookup app popular in queer and alternative dating circles.

ADVERTISEMENT

Over four million private records were found unsecured, including explicit chat logs, group messages, and detailed profile information, such as STD status and sexual preferences.

The most alarming part is that users' precise GPS locations were also exposed, posing serious risks to personal safety, particularly for individuals in vulnerable communities. The app is published by a US-based company called ThotExperiment on the Google Play Store. It offers profile customization, location-based filters, and direct messaging.

After discovering the leak, Cybernews informed the app developers. The company instantly responded by securing access to user data.

According to the company, the incident prompted an investigation, done in cooperation with the Office of the Privacy Commissioner of Canada. So far, the company's investigation revealed that “the internal testing (non-production) database held fewer than 200,000 registered-user records.”

At the same time, according to Cybernews research, logs show a single access and no data appears to have been downloaded. Moreover, according to the company, “no passwords, payment data, or government IDs were ever at risk.”

Stefanie Paulina Okunyte Konstancija Gasaityte profile Ernestas Naprys
Be the first to know and get our latest stories on Google News
Google News Follow us

How much data did the Headero app leak?

  • 352,081 user records
  • 3,032,001 chat records
  • 1,096,904 chat room records
ADVERTISEMENT

What data did the Headero app expose?

  • Names
  • Emails
  • Social login IDs
  • JWT tokens
  • Profile pictures
  • Device tokens
  • Exact GPS locations
  • Sexual preferences
  • STD status

Over four million private records were found unsecured, including explicit chat logs, group messages, and detailed profile information, such as STD status and sexual preferences.

What caused the data leak?

The data leaked from a MongoDB database, which powers thousands of modern web applications. In this case, the leak likely stemmed from a common and often overlooked vulnerability: databases are left exposed to the internet without proper authentication due to human error.

Cybernews researchers have repeatedly found similar exposures across companies of all sizes, which proves that basic security hygiene is still being overlooked.

The app developers told researchers that the unprotected instance was a test database. However, Cybernews analysis indicates that it could have been the actual user data.

Not the first time dating apps have spilled private user data

The Headoro data leak isn't the first time dating apps have leaked large amounts of users’ private information.

Cybernews’ previous viral research uncovered that BDSM, LGBTQ+, and sugar dating apps were found exposing users' private images, with some of them even leaking photos shared in private messages.

ADVERTISEMENT

Nearly 1.5 million user-uploaded images, including profile photos, public posts, verification images, photos removed for rule violations, and private photos sent through direct messages, were left publicly accessible to anyone.

iPhone app leaks user NSFW stories
Image by Cybernews.

Used the Headero dating app recently? Here’s what you can do

While the exposed MongoDB database has since been secured, it remains unclear whether any threat actors accessed the data before it was locked down. If you’ve used Headero, here’s how to stay one step ahead of the threat:

  • Monitor your inbox and phone: You could become a target for phishing attacks, especially if your email or device info was caught in the leak. Don’t click weird links or download unknown attachments.
  • Do not reuse passwords: If you’ve used the same password on other platforms, it’s time to change those.
  • Audit app access: Head into your phone settings, review Headero’s permissions, and consider clearing sessions or revoking tokens where possible.
  • Reset and stay alert: Change your Headero password and keep an eye out for suspicious messages, catfish profiles, or any weird login activity.
  • Leak discovered: March 24th, 2025
  • Initial Disclosure: March 25th, 2025
  • Closed: March 25th, 2025

Updated on June 13th [10:50 a.m. GMT] with additional details from the company.

ADVERTISEMENT
Share
Post
Share
Share
Share
More from Cybernews
Saudi industrial services group breached, hackers claim
Estimating age with augmented cameras in tobacco shops is a no-go, CNIL says
Law enforcement authorities bust international Microsoft scam call center
JD Vance’s Disneyland vacation sparks outrage, mockery
Samsung may be turning jewelry into AI-driven devices
A simple radio hack can emergency stop any train in North America, researchers warn
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked