When Raw burst onto the scene in 2023, it promised to shake up the dating app like Bumble did a few years back. No filters. No curated profiles. Just daily selfies and real-time location-based matches, all in the name of authenticity. It was a bold promise in a world hooked on glossy digital personas and hard swipes left or right.
But last month, Raw’s trust-first model took a serious business blow. A security breach is said to have exposed sensitive user data to, well… anyone who went looking for date data. Turns out, privacy still needs to be protected, no matter how fresh the UX feels.
Raw’s issue represented more than just a technical breakdown because the app promised emotional vulnerability and trust, making its experience with vulnerability that much more poignant. The data breach occurred as a result of basic security flaws rather than complex hacking or malware operations. It was much simpler—and likely far more damaging.
Reports show that Raw’s backend was unprotected, which allowed unrestricted access to user profiles without any authentication requirements. Using a typical web browser together with an easily guessed 11-digit user ID enabled access to personal information, including names, birthdates, sexual orientation, and exact location data down to street-level precision. Ouch.
An open door to anyone
An IDOR (Insecure Direct Object Reference) vulnerability represents a cybersecurity flaw that acts like leaving private files in an unlocked filing cabinet situated in an accessible public hallway. Research teams seemingly successfully exploited the vulnerability by creating a fake profile through location spoofing.
After creating a dummy profile, they accessed other Raw users’ data by incrementing user ID numbers. No password. No login. No encryption. Just an open API endpoint: api.raw.app/users/[ID].
The investigation revealed no trace of end-to-end encryption during data transmission or storage despite the company’s public assertions to this effect. The app transmitted sensitive data without restriction under false encryption claims that were revealed to be mere marketing techniques.
The exposure fallout
After the issue came to light, Raw immediately closed the exposed endpoints and implied that the needed notifications would be made. Without completing due diligence, the company focused on building a high-quality product while engaging with their community, according to its statement. Translation: Growth first, security later.
The security breach struck the startup at an inconvenient time. Just days earlier, Raw announced its next big idea: the Raw Ring is a wearable device that tracks heart rate data alongside emotional signals and voice tone in order to identify indicators of infidelity. The pitch? Real-time AI-driven relationship monitoring powers the “flirt-free zone.”
Serious questions have emerged even before the ring becomes available to consumers. Raw failed to protect profile photos and GPS data, so how can it ensure biometric information and emotional metadata remain secure?
The landscape is tough
Raw isn’t the only app trying to rewrite the dating rulebook. It’s up against a wave of fresh, edgy contenders—each with its own twist.
Thursday limits matches to one day a week, pushing real-life meetups fast. Snack brings TikTok-style videos to dating, targeting swipe-fatigued Gen Z users. Feeld thrives on inclusivity, catering to non-traditional and open relationships. Hinge leans hard into serious connections with its “designed to be deleted” mantra, while Lox Club adds an air of exclusivity and humor to the mix.
In a space driven by novelty, trust, and vibe, competition is fierce—and for apps like Raw, there’s little room for mistakes.
Final swipe: When vulnerability stops being romantic
Raw’s security flaws are part of a larger industry trend. Mobile apps often explode in popularity long before they are built to withstand real security threats. Developers, driven by ambition, inexperience, or plain disregard, frequently treat cybersecurity as an afterthought until something breaks. And when it breaks, it’s costly.
In Raw’s case, users discovered that their dating behavior, sexual orientation, and even real-time location data were exposed online. For an app catering to vulnerable communities and privacy-seeking individuals, the fallout could be far more serious than mere embarrassment.
Raw had momentum. Over half a million Android downloads and a growing, loyal user base drawn to its unfiltered, real-time vibe. But trust in dating apps doesn’t come from aesthetics or virality. It is forged in silence, through secure systems that users never see but completely rely on.
Raw now stands as a warning. In the dating app world, you are only as safe as your backend. Vulnerability may be essential in love, but not in code.
Stay informed and secure
Get the latest insights on emerging cyber threats and in-app security measures to protect your dating apps. Stay one step ahead of hackers by signing up for our newsletter now!
Written by
Jon Samsel
Head of Cybersecurity Business and Global Marketing
Commentary
Raw’s Data Leak Turns Dating Realness into a Risk
Table of Contents
When Raw burst onto the scene in 2023, it promised to shake up the dating app like Bumble did a few years back. No filters. No curated profiles. Just daily selfies and real-time location-based matches, all in the name of authenticity. It was a bold promise in a world hooked on glossy digital personas and hard swipes left or right.
But last month, Raw’s trust-first model took a serious business blow. A security breach is said to have exposed sensitive user data to, well… anyone who went looking for date data. Turns out, privacy still needs to be protected, no matter how fresh the UX feels.
Raw’s issue represented more than just a technical breakdown because the app promised emotional vulnerability and trust, making its experience with vulnerability that much more poignant. The data breach occurred as a result of basic security flaws rather than complex hacking or malware operations. It was much simpler—and likely far more damaging.
Reports show that Raw’s backend was unprotected, which allowed unrestricted access to user profiles without any authentication requirements. Using a typical web browser together with an easily guessed 11-digit user ID enabled access to personal information, including names, birthdates, sexual orientation, and exact location data down to street-level precision. Ouch.
An open door to anyone
An IDOR (Insecure Direct Object Reference) vulnerability represents a cybersecurity flaw that acts like leaving private files in an unlocked filing cabinet situated in an accessible public hallway. Research teams seemingly successfully exploited the vulnerability by creating a fake profile through location spoofing.
After creating a dummy profile, they accessed other Raw users’ data by incrementing user ID numbers. No password. No login. No encryption. Just an open API endpoint: api.raw.app/users/[ID].
The investigation revealed no trace of end-to-end encryption during data transmission or storage despite the company’s public assertions to this effect. The app transmitted sensitive data without restriction under false encryption claims that were revealed to be mere marketing techniques.
The exposure fallout
After the issue came to light, Raw immediately closed the exposed endpoints and implied that the needed notifications would be made. Without completing due diligence, the company focused on building a high-quality product while engaging with their community, according to its statement. Translation: Growth first, security later.
The security breach struck the startup at an inconvenient time. Just days earlier, Raw announced its next big idea: the Raw Ring is a wearable device that tracks heart rate data alongside emotional signals and voice tone in order to identify indicators of infidelity. The pitch? Real-time AI-driven relationship monitoring powers the “flirt-free zone.”
Serious questions have emerged even before the ring becomes available to consumers. Raw failed to protect profile photos and GPS data, so how can it ensure biometric information and emotional metadata remain secure?
The landscape is tough
Raw isn’t the only app trying to rewrite the dating rulebook. It’s up against a wave of fresh, edgy contenders—each with its own twist.
Thursday limits matches to one day a week, pushing real-life meetups fast. Snack brings TikTok-style videos to dating, targeting swipe-fatigued Gen Z users. Feeld thrives on inclusivity, catering to non-traditional and open relationships. Hinge leans hard into serious connections with its “designed to be deleted” mantra, while Lox Club adds an air of exclusivity and humor to the mix.
In a space driven by novelty, trust, and vibe, competition is fierce—and for apps like Raw, there’s little room for mistakes.
Final swipe: When vulnerability stops being romantic
Raw’s security flaws are part of a larger industry trend. Mobile apps often explode in popularity long before they are built to withstand real security threats. Developers, driven by ambition, inexperience, or plain disregard, frequently treat cybersecurity as an afterthought until something breaks. And when it breaks, it’s costly.
In Raw’s case, users discovered that their dating behavior, sexual orientation, and even real-time location data were exposed online. For an app catering to vulnerable communities and privacy-seeking individuals, the fallout could be far more serious than mere embarrassment.
Raw had momentum. Over half a million Android downloads and a growing, loyal user base drawn to its unfiltered, real-time vibe. But trust in dating apps doesn’t come from aesthetics or virality. It is forged in silence, through secure systems that users never see but completely rely on.
Raw now stands as a warning. In the dating app world, you are only as safe as your backend. Vulnerability may be essential in love, but not in code.
Stay informed and secure
Written by
Jon Samsel
Head of Cybersecurity Business and Global Marketing
Share this cybersecurity insight
Other cybersecurity insights
Cybersecurity Threat Roundup #22: Copybara, Crocodilus, Lucid, and more
SparkKitty: A Silent Threat in ‘Trusted’ Apps
WestJet Breach Shows Why Downtime Is a Business Killer
Darcula’s Digital Playbook: The Global Scam That’s Redefining Mobile Threats