One week after queer hookup app Grindr announced it would offer a feature reminding users to get tested for HIV,an explosive news report reveals the site is sharing customers’ HIV status with at least two outside companies.
Apptimize and Localytics, companies that help apps sharpen marketing strategies, “receive some of the information that Grindr users choose to include in their profiles,” BuzzFeed reported. That information includes HIV status and “last tested date.”
Because HIV information is sent alongside users’ GPS data, phone ID, and email, an individual’s status could easily be discovered, Antoine Pultier, a researcher at the Norwegian nonprofit SINTEF, told BuzzFeed.
“The HIV status is linked to all the other information. That’s the main issue,” said Pultier. “I think this is the incompetence of some developers that just send everything, including HIV status.”
Grindr told BuzzFeed that the services provided by Apptimize and Localytics are intended to improve users’ experience.
“Thousands of companies use these highly regarded platforms. These are standard practices in the mobile app ecosystem,” Scott Chen, Grindr’s chief technology officer, told BuzzFeed in a statement. “No Grindr user information is sold to third parties. We pay these software vendors to utilize their services.”
The news follows Grindr’s repair of a security flaw that allowed users to see who has blocked them. That flaw also allowed users access to others’ location data, which NBC News reported could “lead to increased harassment — especially in places where homosexuality is criminalized.”
“The security flaw was identified by Trever Faden, CEO of the property management startup Atlas Lane, after he created a website called C*ckblocked” (the asterisk is part of the name of the service), NBC News reported.
“His website allowed users to see who blocked them on Grindr after they entered their Grindr username and password. Once they did so, Faden was able to gain access to a trove of user data that is not publicly available on user profiles, including unread messages, email addresses, deleted photos, and the location data of users, some of whom have opted to not share their locations publicly.”
Grindr told NBC it was aware of the problem and “had changed its system to prevent access to data regarding blocked accounts,” though it apparently did not change access to other data.
This article originally appeared on HuffPost.