Raw, a dating app launched in 2023, suffered a major security breach that exposed sensitive user data and exact location information, according to an investigation. The breach revealed display names, birth dates, sexual preferences, and GPS coordinates that could identify users’ precise street-level locations.
Despite claiming to use end-to-end encryption, the app was found leaking data openly over the internet. The flaw was discovered while testing the app, finding that anyone with basic knowledge of web browsers could access private user profiles by adjusting a simple numeric ID in the app’s API.
Raw App’s Security Flaw Exposed Precise User Locations
The vulnerability was traced to an insecure API endpoint — api.raw.app/users/ followed by a user’s 11-digit ID. This setup allowed unauthorized access to detailed personal information, including pinpoint location data. By merely changing the ID number, anyone could view another user’s private profile, including their GPS coordinates.
This kind of vulnerability is known as an Insecure Direct Object Reference (IDOR). It’s a common yet dangerous security flaw where a server fails to verify whether a user is authorized to access the data being requested. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has repeatedly warned that IDOR bugs can be exploited to access sensitive records at scale.
Shortly after the company was notified, Raw patched the flaw. “All previously exposed endpoints have been secured, and we’ve implemented additional safeguards to prevent similar issues in the future,” said Marina Anderson, co-founder of Raw, via email.
However, the company admitted it has not conducted a third-party security audit, and it’s unclear whether it plans to. Anderson emphasized that their current priority is building a “high-quality product” and fostering community engagement, rather than immediately notifying affected users.
While Raw claims on its website and in its privacy policy that it uses end-to-end encryption to protect user data, no evidence of such security in practice was found. Instead, the app was transmitting user data without adequate safeguards.
Users Not Notified, Privacy Policy Unchanged
Despite the severity of the data exposure, Anderson would not confirm if the company plans to notify affected users. She stated that Raw would report the incident to relevant data protection authorities, but provided no timeline or commitment to transparency with users.
Anderson also declined to say whether the company would update its privacy policy in light of the findings. When asked about encryption, she said Raw uses encryption in transit and enforces access controls internally — but again fell short of clarifying any end-to-end encryption practices.
The leak was uncovered while testing the Raw app on a virtual Android device. They used dummy information to create a test account and simulated a precise location near a museum in Mountain View, California.
By analyzing the app’s network traffic, the team quickly realized that user data was being fetched from the server without proper access checks. Within minutes, they could see their test profile’s data — and knew the same method could access any other profile by simply changing the user ID.
Screenshots taken during the test showed user profiles — including location pins on a map — openly accessible through Raw’s unprotected server.
Serious Implications for Users and Surveillance Concerns
This breach is especially troubling considering the company’s plans to release a wearable device, the Raw Ring, which aims to track a partner’s heart rate and generate AI-based relationship insights. Privacy experts have criticized the device for enabling emotional surveillance and raising ethical concerns around partner tracking.
By combining this data with insecure systems, Raw potentially exposes users to serious risks — from stalking and harassment to data exploitation.
While the app has more than 500,000 downloads on the Google Play Store, the exact number of affected users remains unknown.
As regulators worldwide continue to crack down on poor data security practices, incidents like this highlight the critical need for security-by-design, proper authentication, and independent audits before launching products that handle sensitive personal and biometric data.
