TL;DR: A security researcher found that a porn abstinence app—designed to help users quit watching pornography—left its Google Firebase database wide open. More than 600,000 users' extremely sensitive data was exposed, including their ages, how often they masturbate, and how viewing porn makes them feel. Approximately 100,000 users who claimed to be minors are among those exposed. The researcher notified the developer in September 2025. The developer first promised to fix it, then denied any vulnerability exists. The data remains exposed.

The Most Sensitive Kind of Data

People don't download porn addiction recovery apps casually. They're usually at a low point—struggling with compulsive behavior, often ashamed, sometimes desperate. These apps promise discretion and support. Users share things they wouldn't tell their therapists.

In January 2026, 404 Media reported that one such app left all of that exposed to anyone who knew where to look [1].

The researcher who found the vulnerability—who asked to remain anonymous—discovered that the app's Google Firebase backend was completely misconfigured. No authentication required. No access controls. Just an open database containing:

  • Users' ages (self-reported)
  • How often they masturbate
  • How viewing pornography makes them feel
  • Usage patterns and progress tracking data

The app isn't named in reporting to protect the users still exposed. But the scope is staggering: over 600,000 users, including approximately 100,000 who indicated they were minors [1][2].

Firebase Strikes Again

This is the same vulnerability pattern we've covered multiple times. Google Firebase is a popular backend platform for mobile apps. When properly configured, it restricts database access to authenticated users with appropriate permissions.

But Firebase makes it easy to leave the door open. Developers can accidentally—or lazily—skip the security rules, leaving their entire database readable by anyone. It's happened to Chat & Ask AI (300 million messages exposed), to countless other apps, and now to one that stores data about minors' sexual behavior.

Google's own documentation warns about this. The Firebase console shows warnings when security rules are too permissive. But developers ignore them, and users pay the price.

The Developer's Response

When the researcher first contacted the developer in September 2025, they promised a quick fix [2].

That didn't happen.

By January 2026, when journalists started asking questions, the developer's position changed. Now they claim there is no vulnerability at all [1][2].

The data, according to Privacy Guides' breach roundup, remains exposed [2]. Users who trusted this app with their most sensitive struggles have no idea their information is sitting in an open database, accessible to anyone with basic technical knowledge.

Minors Are the Worst Part

About 100,000 of the exposed users indicated they were under 18 [1][2]. Let that sink in.

These are kids who searched for help with something they were too embarrassed to discuss with parents or doctors. They found an app that promised to help. They answered questions about their sexual habits honestly, believing the data was private.

It wasn't. And the app's developer won't even acknowledge the problem.

The combination—minors, sexual behavior data, open database, developer denial—is about as bad as data exposure gets. This isn't credit card numbers that can be reissued. This is permanent, deeply personal information about children's struggles with sexuality.

The Pattern

Firebase misconfiguration breaches are so common now that security researchers have a term for this era: the "golden age of Firebase misconfiguration breaches" [2].

Apps that handle sensitive data—health apps, AI chatbots, financial tools—keep making the same mistake. They build fast, ship fast, and skip the security configuration step. When researchers find the vulnerability, developers either scramble to fix it (if they're responsible) or deny it exists (if they're not).

Users are left guessing whether their data is safe. Usually, it isn't.

What Users Should Know

Assume the Data Is Compromised

If you've ever used a porn abstinence or addiction recovery app, treat any data you shared as potentially exposed. This isn't the only app with Firebase problems.

Use Established Services

Large, regulated healthcare providers have legal obligations to protect your data. Random apps from app stores don't have the same accountability.

Check Privacy Policies

Before sharing sensitive data with any app, read how they handle it. If they store data in the cloud, ask: what security certifications do they have? Most won't answer—because they don't have any.

For Parents

If your child used an app like this, have an honest conversation. The data exposure isn't their fault. The priority is making sure they know what happened and aren't vulnerable to anyone who might try to exploit it.

The Bottom Line

An app that promised to help people—including kids—overcome something they were ashamed of instead exposed their deepest struggles to the open internet. The developer knew about it for months. They denied it exists. The data is still exposed.

This is what happens when "move fast and break things" meets sensitive personal data. The app moved fast. The users are the ones who got broken.

References

  1. 404 Media - App for Quitting Porn Leaked Users' Masturbation Habits (January 28, 2026)
  2. Privacy Guides - Data Breach Roundup, January 23-29, 2026