New York’s attorney general has settled a complaint over gay, bisexual, and queer dating app Jack’d, whose parent company left users’ private photos exposed online for at least a year. The company, Online Buddies, will pay $240,000 and implement a “comprehensive security program” to prevent similar incidents in the future.

The Register and Ars Technica first reported on the Jack’d security flaw in February of 2019, noting that security researcher Oliver Hough had informed the company a year earlier to no avail. The popular dating app had uploaded photos to a publicly accessible Amazon Web Services storage bucket, even when users believed the pictures were private. The exposed data included nude photos and pictures that revealed a user’s location — potentially putting them at risk of blackmail or even arrest in some countries. Jack’d fixed the problem the day Ars published its story.

The office of Attorney General Letitia James said that an investigation had confirmed this privacy problem. It also confirmed that “senior management of Online Buddies had been told in February 2018 of this vulnerability,” as well as another problem that could expose data about users. “While Online Buddies immediately recognized the seriousness of its vulnerabilities, the company failed to fix the problems for an entire year, and only after repeated inquiries from the press,” says a press release.

James’ statement says that Jack’d had around 7,000 active New York users during that year, around 1,900 of whom had “private images that could be nude photographs.” Online Buddies currently says Jack’d has over 6 million users around the world, and it describes itself as the world’s “most culturally diverse gay dating app.” That means Jack’d serves many men who are particularly vulnerable to discrimination if their personal data is exposed.

While Online Buddies’ long delay was a big part of the problem here, security flaws — or outright sharing of sensitive information — are an ongoing problem in mobile apps, including dating apps. Grindr formerly shared users’ HIV status with app optimization companies, and its acquisition by a Chinese company raised national security issues. (The company later sold the app.) Tinder had to address a serious login vulnerability last year, and a security researcher separately found that hackers could access some unencrypted user photos.