Baala Shakya, Staff Photographer

When Alex Schapiro ’26 received an unsolicited text suggesting that he had a “secret admirer” on a new dating app called Cerca, he was skeptical and decided to test the app’s integrity.

Within hours of downloading the app, Schapiro, a computer science and Near Eastern languages & civilizations double major, found he could retrieve data on over 6,000 users, including phone numbers, sexual preferences, private chat logs, college affiliations, and in over 200 cases, scanned passports or driver’s licenses.

Cerca, founded by students at Georgetown University and the University of Southern California, is a new dating app active at multiple universities, including Yale, UPenn, Duke and Emory. The app requires users to sync their contacts and then view potential matches with whom they share at least one contact.

While Cerca brands itself as a “safe” friends-of-friends dating network, Schapiro’s findings suggest otherwise. “This is a hacker’s jackpot,” he said.

By intercepting network requests from the app using a standard proxying tool, Schapiro discovered that anyone could take over any Cerca user’s account using only their phone number, and thus access a trove of deeply personal information.

Schapiro’s blog post detailing the vulnerability, published on Monday, described it as an “insane leak” that allowed him — or any hacker — to log into accounts with only a phone number, no verification code needed. He found an exposed development endpoint listing every function the app could perform. From there, a “users” endpoint revealed information about each account in the database, incrementally indexed by ID.

Using a Python script, Schapiro extracted information en masse, noting that the app had left key fields — including passport and driver’s license scans, alongside data like sexual preferences — open to unauthorized access. While he refrained from viewing any sensitive user data beyond verifying its existence, he warned that a malicious actor could have exploited the same flaw.

Schapiro, who previously led Yale’s CourseTable, had no intention of exploiting the app. Instead, he alerted Cerca’s development team. They responded to his Feb. 24 disclosure with a video call, acknowledged the issue and pledged to fix it and notify users. Though they were nice, Schapiro recalled, the development team never responded to his subsequent emails. 

“We were made aware of a potential security concern by someone who represented themselves as a good-faith researcher, and took immediate steps to address it, including deploying a same-day fix and engaging an external cybersecurity firm to audit our platform and help strengthen our systems,” Cerca leaders wrote to the News. “We have no evidence to indicate that any other unauthorized party has accessed user data for the entire life of our company.”

The discovery has since raised questions about data privacy, developer accountability and the responsibilities of student-founded tech startups.

Despite assurances during the initial call by Schapiro, Cerca has still not informed its users of the breach. According to Dr. Maria Angel Arango, a resident fellow of the Information Society Project at Yale Law School, that silence may violate state laws.

“Every U.S. state, including D.C., has its own data breach notification law,” Arango said. “If Cerca’s data breach affected people in multiple states, they may need to comply with multiple state laws simultaneously.” 

In Connecticut, where Yale students reside, the law mandates notification to both consumers and the state Attorney General within 60 days.

Sean O’Brien, a cybersecurity researcher at Yale Law School and founder of the Yale Privacy Lab, called Cerca’s failure to notify users “disappointing” and that beyond legal compliance, “there’s a duty to transparency” which he believes is especially true for a dating app that “trades on trust and claims to prioritize safety.”

O’Brien emphasized that Cerca’s issues — including broken authentication and exposed APIs — fall squarely within the OWASP Top Ten security risks for web apps. “

When the data in question includes passports, sexual orientation, or private messages, mistakes don’t just cause inconvenience,” O’Brien said, “they put real people in serious danger.”

In a statement to the News, Cerca claimed that “the security and privacy of our users is our top priority.”

Schapiro, a self-described “ethical hacker,” said that his goal in pointing out Cerca’s vulnerabilities was to create a “safer internet.” He added that if he could hack the app “in five minutes as a college student, imagine what a bad actor could do.”

Among the 6,117 users Schapiro identified through his scripts were 19 students who self-reported a Yale affiliation. Schapiro, however, noted that because Cerca does not require users to fill out their school affiliation, there are likely more users from Yale.

Professor Michael Fischer, who teaches ‘Computing Then and Now: How Digital Technology Evolves,’ said that vulnerabilities like those uncovered in Cerca are disturbingly common, not just in early-stage apps, but across the digital landscape.

Developers should use best practices, but they may not be sufficient, he added. “Keeping data secure is an unsolved problem,” he said.

Schapiro’s concern also extends beyond Cerca. He pointed to broader trends in student tech: apps built with AI assistance or by teams with little security training. 

“It’s really worth it to pay someone a thousand bucks and say, ‘hey, try to hack this,’” he said. “You want to catch it then, not when you have 100,000 users and someone leaks their Social Security numbers.”

The Yale Digital Ethics Center was founded in Fall 2023.