Tech

Scruff Acquires Jack’d, The Dating App That Exposed Users’ Nudes

HOT DATE

The app's parent company is still on the hook for $240,000 in fines for its failure to protect user privacy.

exclusive
190709-hatmaker-scruff-tease_oaob7u

Just two weeks after being fined hundreds of thousands of dollars for exposing its users’ nude photos, the dating app Jack’d has found the exit sign.

Scruff, a privately held dating app that caters to gay and bisexual men, bought Jack’d for an undisclosed sum. The acquisition comes as Jack’d attempts to move past a privacy scandal and reassure users that their intimate communications remain unseen by prying eyes. 

[Full disclosure: The Daily Beast is owned by IAC, which also owns Match Group, the company that operates Tinder, OkCupid, Hinge, and other dating apps.]

ADVERTISEMENT

On June 28, Online Buddies—the parent company of Jack’d, which also owns the gay dating site Manhunt—agreed to pay $240,000 in a settlement with the New York Attorney General’s office after almost 2,000 New York users had their nude photos exposed via an unsecured Amazon cloud server. A second vulnerability also exposed users’ location data, device ID, operating system version, last login date, and hashed passwords.

Jack’d allows a user to upload an album of public photos to their profile—“nudity prohibited,” the instructions direct—and another album of private pictures that require permission to view. These hidden images carry no such constraint on sexually explicit content. Both types of photos, however, were left out in the open on the unsecured server.

In addition to the fine, the company committed to substantially improving the security of its app as part of the settlement. 

Online Buddies remains responsible for paying the fine, according to a spokesman for the Attorney General’s office, but Scruff’s parent company Perry Street Software will now be responsible for implementing security upgrades. The spokesman added that the office intends to ensure the terms of the settlement are followed and users’ privacy is protected.

“The opportunity to acquire Jack’d was an especially unique one,” Eric Silverberg, CEO of Perry Street, told The Daily Beast. 

“Jack’d was one of the earliest and largest queer spaces and queer apps on the market,” Silverberg said, adding that the acquisition is an opportunity for Scruff to expand in markets like East Asia.

Silverberg said Perry Street was always planning to overhaul the technology of Jack’d but that his company had notified the Attorney General of the acquisition negotiations to ensure their intentions aligned with the terms of the settlement. Jack'd will continue operating as a standalone app.

The company says it plans to redesign the app from the ground up, enhancing Jack’d users’ controls over their privacy and rejiggering key features. The advertising experience will also change: Scruff stopped showing users programmatic advertising in late 2018, and Jack’d will follow suit after the acquisition.

The Attorney General penalized Online Buddies not only for the security failure but also for looking the other way after becoming aware of it. Though the flaw was first publicly reported in February 2019, a security researcher had notified the company of the vulnerability a year prior to no effect. 

Perry Street learned about the breach at the same time as the general public, according to Silverberg, even as the company was more than six months into discussions of the acquisition of Jack’d. He blasted Online Buddies’ response to the problem. 

“[Perry Street] will always prioritize these kinds of issues. I cannot even fathom a scenario where someone would bring this to our attention and we wouldn’t address it immediately. It was frankly unfathomable to us when we first read about it in February,” he said, adding that Scruff has not weathered a data breach.

Silverberg, who identifies as gay, said the work of protecting user privacy has particular resonance to him since he and others at Perry Street are members of the LGBTQ community and users of their own product.

“If there’s any suggestion of a data breach or a security issue, we stop what we’re doing and work relentlessly until it’s addressed,” he said. “The work we do is personal for our members, and it’s personal for us. We are sharing our community, sharing this app, with our friends and loved ones.” 

Jack’d isn’t alone among in its privacy woes. Several other high-profile dating apps have suffered breaches or failed to protect their users in recent years. The gay dating app Grindr was found to be sharing users’ HIV status and location with third-party app optimization companies in April 2018, though it vowed to stop.

A Tinder vulnerability exposed last year allowed hackers to take over accounts using only a phone number. The company patched it before disclosure. In February, some OkCupid users reported hacked accounts, but the company denied a data breach. OkCupid, Match, and other major dating sites still do not offer two-factor authentication—one of the most robust ways for users to secure accounts.

Got a tip? Send it to The Daily Beast here.