Only women appear to have been targeted, according to Gizmodo.

The images were discovered by cybersecurity firm White Ops and were accompanied by a text file containing about 16,000 unique Tinder user IDs.

It’s unclear what the images were being used for but there are concerns they could be used for illegal acts, to target users, generate fake profiles or possibly to train a facial recognition product.

A Tinder official told Gizmodo that since the incident, the company had invested extra resources to address misuse of the app but did not reveal the specific measures.

It comes as dating apps like Tinder, as well as Grindr and OkCupid were found to have been leaking personal information to advertising tech companies in possible violation of European data privacy laws, a Norwegian consumer group said in a report Tuesday.

The Norwegian Consumer Council said it found “serious privacy infringements” in its analysis of how shadowy online ad companies track and profile smartphone users.

The council, a government-funded nonprofit group, commissioned cybersecurity company Mnemonic to study 10 Android mobile apps.

It found that the apps sent user data to at least 135 different third party services involved in advertising or behavioural profiling.

“The situation is completely out of control,” the council said, urging European regulators to enforce the continent’s strict General Data Privacy Regulation, or GDPR.

It said the majority of the apps did not present users with legally-compliant consent mechanisms.

The council took action against some of the companies it examined, filing formal complaints with Norway’s data protection authority against Grindr, Twitter-owned mobile app advertising platform MoPub and four ad tech companies.

Grindr sent data including users’ GPS location, age and gender to the other companies, the council said.

Twitter said it disabled Grindr’s MoPub account and is investigating the issue “to understand the sufficiency of Grindr’s consent mechanism.”

Period tracker app MyDays and virtual makeup app Perfect 365 were also among the apps sharing personal data with ad services, the report said.

IAC, owner of Tinder and OkCupid, said the company shares information with third parties only when it is “deemed necessary to operate its platform” with third party apps.

The company said it considers the practice in line with all European and US regulations.

The US doesn’t have federal regulation like the GDPR, although some states, notably California, have enacted their own laws.

Nine civil rights groups, including the American Civil Liberties Union of California, the Electronic Privacy Information Center, Public Citizen and US PIRG sent a letter to the Federal Trade Commission, Congress and state attorneys general of California, Texas and Oregon asking them to investigate the apps named in the report.

“Congress should use the findings of the report as a road map for a new law that ensures that such flagrant violations of privacy found in the EU are not acceptable in the US,” the groups said in a statement.

The FTC confirmed it received the letter but declined to comment further. The creators of the MyDays, Perfect 365 and Grindr apps did not immediately respond to requests for comment.

— with AAP