A popular massage-booking app left thousands of customer records exposed, including complaints about those who had asked for sexual favours.
Urban, previously known as Urban Massage, left its online database containing 309,000 customer profiles unsecured, a security researcher found.
Among the records were allegations of sexual assault, linked to identifiable individuals.
Urban said it was investigating the problem and took the database offline.
The problem was discovered by researcher Oliver Hough, who shared the discovery with news site TechCrunch.
“This data could literally have led to some serious blackmail,” he wrote on Twitter.
The data included thousands of complaints from therapists, detailing clients who had asked for sexual services or genital massages.
Some clients were labelled as “dangerous” and some were blocked because of ongoing police investigations.
The complaints included each client’s name, address and telephone number.
TechCrunch informed Urban of the problem and the company took the database offline.
The company said it was investigating whether anybody other than the security researcher had discovered or accessed the database.
Chief executive Jack Tang said he had informed the UK’s Information Commissioner of the breach and would also inform its customers.