In yet another case of cloud storage misconfiguration, private pictures shared by users of gay dating app Jack’d have been found exposed to all and sundry on an Amazon Web Services Inc. instance.

Jack’d is a gay dating app that connects gay guys wanting to meet or hookup worldwide with more than 1 million downloads from the Google Play store. Users are able to chat privately with other users, including sharing X-rated pictures.

Discovered by security researcher Oliver Hough and first reported Tuesday by The Register, the exposed AWS S3 instance was storing all the pictures shared between Jack’d users.

The security was so lacking that Hough claims anyone with a web browser could access the pictures if they knew where to look.

“As there is no authentication, no need to sign up to the app, and no limits in place, miscreants can therefore download the entire image database for further havoc and potential blackmail,” the report noted.

If exposing private pictures isn’t bad enough, Hough claims that he informed the company behind app, LD Interactive LLC, three months ago that the data was exposed but nothing was done to rectify the situation.

Given growing attention to the data breach, the misconfigured AWS instance has now been fixed, but the fact that the company knew about the issue for months and did nothing is not confidence-building.

Jack’d is not the first company to expose its data this way and it certainly won’t be the last.

Previous cases of AWS configuration malfeasance include Accenture PLC, U.S. Army Intelligence and Security Command, Verizon Communications Inc., TigerSwan, FedEx Corp., Octoly, True Corp and Veeam Software Inc.

Image: Jack’d