A popular massage-booking app left thousands of customer records exposed, including complaints about those who had asked for sexual favours.
Urban, previously known as Urban Massage, left its online database containing 309,000 customer profiles unsecured, a security researcher found.
Among the records were allegations of sexual assault, linked to identifiable individuals.
Urban said it was investigating the problem and took the database offline.
The problem was discovered by researcher Oliver Hough, who shared the discovery with news site TechCrunch.
“This data could literally have led to some serious blackmail,” he wrote on Twitter.
The data included thousands of complaints from therapists, detailing clients who had asked for sexual services or genital massages.
Some clients were labelled as “dangerous” and some were blocked because of ongoing police investigations.
The complaints included each client’s name, address and telephone number.
TechCrunch informed Urban of the problem and the company took the database offline.
Chief executive Jack Tang said he had informed the UK’s Information Commissioner of the breach and would also inform its customers.
In a statement, the company said: “We immediately closed the potential vulnerability and have taken all appropriate action, including by notifying users and the ICO.
“The researcher has now confirmed to us that he did not copy or retain any data and that he did not pass anything to anyone else other than the journalist. That was the only access we are aware of.
“We would like to apologise to anyone potentially affected and continue to investigate this matter as a priority.”
An ICO spokeswoman said: “We are aware of this potential incident and we will assess the information we receive against data protection laws, before deciding whether or not to investigate.”