Now-Defunct ‘Fleek App’ Exposed Intimate User Photos

• ‘Fleek App’ shut its doors in 2009 but still kept user data on its servers and eventually leaked it online.
• The type of exposed data includes sexual images, drug use pictures, and sensitive chat content.
• Along with the real user data, Fleek’s shady practices have been exposed, as the platform used bots to trick male users into paying fees.

The ‘Fleek App’ shut down in 2019, but that doesn’t mean the social media platform treated what remaining user data it held with care or that it deleted everything as it should have done. On the contrary, it leaked 32 GB of highly-sensitive data online after failing to secure its AWS server properly.

Fleek was an “x-rated” social media platform that didn’t moderate or censor user content, so the 377,000 files that were left accessible to anyone with a web browser include sexual photos, drug use evidence, and other things that their uploaders would prefer to keep private forever.

When having leaks of this kind, the affected users become candidates for powerful extortion from malicious individuals. Fleek was mostly used by U.S.-based college students who were young enough not to think twice about the implications of uploading self-exposing or self-incriminating images on "a random platform." Growing up, these users may regret their Fleek activities, but blackmailing will remain a possibility for many years to come. If you find yourself in that position, reporting it to the police would be the best thing to do.

Whether or not someone accessed and downloaded the sensitive data hasn’t been determined with certainty, but the timeline of the owner’s reaction leaves little hope. The researchers who discovered the misconfigured AWS S3 bucket did so on October 13, 2020, and reported it to Squid Inc., the owner of Fleek, as soon as they could find their contact details (it wasn’t easy).

Receiving no response from them, the team contacted Amazon on October 19, 2020, informing them about the nature of the data leak. The internet company took the bucket down two days later, so we had a total of at least eight days of exposure, which is more than enough for specialized search engines to index it.

One more interesting thing that surfaced thanks to this leak is a shady practice of Fleek. Apparently, the platform tried to trick its male users by generating fake female bot accounts and setting them to send enticing chat messages to real users.

Fleek was asking male users to pay a small fee to exchange messages with the bots, supposedly for verification, which was a total scam. And to make this even worse, Fleek scraped photos of young women from various internet sources to create those fake accounts, so the bot chats linked with the faces of women who were never really on Fleek have now been leaked online.