In February 2025, a security researcher discovered significant vulnerabilities in Cerca, a newly launched dating app. The vulnerabilities primarily revolved around the One-Time Password (OTP) system and the app's open endpoints, allowing for extensive user data breaches. Upon downloading and installing the Cerca app, the researcher used Charles Proxy to intercept network requests. It quickly became apparent that the OTP, which is sent to a user's phone number for login, was directly included in the server's response. This meant that anyone with a valid phone number linked to an account could gain unauthorized access. The researcher also found that the app's API endpoints were accessible without proper authentication due to an unprotected /docs endpoint that served openapi.json. By configuring Burp Suite to pass the necessary headers, the researcher gained access to numerous endpoints. One particularly problematic endpoint allowed the researcher to force two users to match, raising concerns about manipulating user experiences. Another endpoint, user/{user_id}, divulged extensive personal information, including phone numbers, university emails, date of birth, and even passport or ID details. Using a Python script, the researcher enumerated valid user IDs and found 6,117 active user accounts. Among these, 207 users had submitted national ID information, and 19 identified as Yale students. This discovery revealed a significant breach of sensitive data, including sexual preferences and personal messages, affecting thousands of unsuspecting users. Despite claiming to use industry-standard encryption measures in their privacy policy, the app's security flaws were glaring. The researcher responsibly disclosed these findings to Cerca on February 23, 2025, and had a productive call the following day. The team acknowledged the seriousness of the issue and promised prompt action, including informing affected users. However, by the publication date of April 21, 2025, the company had not followed up or publicly acknowledged the incident, despite the researcher's repeated inquiries on March 5 and March 13. Upon confirming that the vulnerabilities had been patched, the researcher decided to publish detailed findings to raise awareness. The risks associated with these security lapses are substantial, given the personal nature of the data stored in dating apps. Unauthorized access to such information could lead to identity theft, stalking, and blackmail. The researcher emphasizes that while they were motivated to ensure user safety, there is no telling how many others might have exploited these vulnerabilities before they were discovered and patched. The event highlights a broader concern in the tech industry: the prioritization of rapid product launches over robust security practices. Startups often neglect to invest in thorough security audits and continuous monitoring, putting user data at risk. In this case, Cerca's failure to respond to the researcher's disclosures and lack of transparency with their user base exacerbate the trust issues surrounding the app. Industry experts stress the importance of stringent security measures, especially for applications handling sensitive data. They point out that failing to address security vulnerabilities can not only harm users but can also cripple a startup's reputation and future prospects. Cerca's ordeal serves as a cautionary tale for other companies, emphasizing the need to balance innovation with user protection and ethical responsibility.