Raw Dating App Data Exposure Reveals Critical Security Flaws

In 2025, the Raw dating app, launched in 2023, faced a significant security breach exposing sensitive user data including display names, birth dates, dating and sexual preferences, and highly precise location coordinates. This exposure allowed potential identification of users with street-level accuracy, raising serious privacy concerns.

Raw markets itself as a platform for genuine interactions by requiring daily selfies and claims to use end-to-end encryption to protect user data. However, an investigation by TechCrunch revealed no evidence of this encryption in practice. Instead, the app’s servers exposed user data publicly without authentication, making it accessible to anyone with a web browser.

The vulnerability identified is an insecure direct object reference (IDOR), a common security flaw where attackers can access or modify data by manipulating identifiers in API requests. This flaw allowed unauthorized access to user profiles simply by changing a numeric identifier in the URL, exposing private information and location data.

TechCrunch discovered the issue during routine testing on a virtual Android device, using dummy data and location spoofing. The app’s server responded to requests for user data without requiring authentication, confirming the IDOR vulnerability. This type of bug is especially dangerous as it can be exploited at scale to harvest large amounts of sensitive data.

Following notification, Raw promptly secured the exposed endpoints and implemented additional safeguards. However, the company has not conducted a third-party security audit nor committed to proactively informing affected users. Raw’s co-founder acknowledged the use of encryption in transit but did not confirm end-to-end encryption or plans to update their privacy policy.

This incident highlights critical lessons for app developers and businesses handling sensitive user data:

• Implement robust authentication and authorization checks to prevent unauthorized data access.
• Conduct regular third-party security audits to identify and remediate vulnerabilities proactively.
• Ensure transparency with users regarding data protection practices and promptly notify them of breaches.
• Adopt end-to-end encryption where feasible to safeguard data privacy even from the service provider.

Broader Implications for Privacy and Security in Dating Apps

Dating apps inherently collect highly sensitive personal and location data, making them prime targets for cyberattacks. The Raw app’s exposure underscores the urgent need for stringent security measures in this sector. Users entrust these platforms with intimate details and expect their privacy to be protected rigorously.

Moreover, Raw’s upcoming wearable device that tracks partners’ biometric data raises ethical questions about consent and emotional surveillance. This further amplifies the responsibility of companies to secure data comprehensively and communicate transparently about data usage and protection.

As the digital dating landscape evolves with AI and IoT integrations, security and privacy frameworks must evolve in parallel to protect users from exploitation and breaches.

Conclusion

The Raw dating app data exposure serves as a cautionary tale for developers and companies handling sensitive user information. It highlights the critical importance of implementing comprehensive security protocols, performing regular audits, and maintaining transparency with users. As privacy expectations rise, companies must prioritize data protection to sustain user trust and comply with regulatory standards.