A flaw that left the personal data of thousands of users of a virtual reality porn app exposed has been fixed.
British cybersecurity firm Digital Interruption uncovered a loophole in the SinVR app that gave it access to 20,000 user names and email addresses.
SinVR thanked it for highlighting the issue and promised to improve security.
"Altogether, it has been a tremendous learning experience," the US-based company told tech site Alphr.
"Moving forward, we are confident in our ability to stop similar attacks and will keep using a professional security service to audit our system."
SinVR is a pornographic virtual reality game which lets users explore various adult-themed environments and interact with virtual characters.
It works with most major VR headsets including the HTC Vive and Oculus Rift.
In a blog post, Digital Interruption said it had decided to go public after SinVR's parent company, inVR, did not respond to emails about the app's flaws.
The cybersecurity firm, which had been reviewing the security of several adult-themed websites, said it accessed the personal data of everyone with a SinVR account as well as anyone who paid for content using PayPal.
Passwords and credit card details were not exposed in the hack, it said.
"Due to the nature of the application, it is potentially quite embarrassing to have details like this leaked," Digital Interruption wrote in its blog post.
"It is not outside the realm of possibility that some users could be blackmailed with this information."
It's not the first time the personal data of those who visit porn sites has been exposed.
In 2016 the names of almost 800,000 registered users of porn site Brazzers were exposed in a data breach.
And last year, German researchers claimed to have accessed the porn-browsing habits of members of the public by reverse-engineering online data used for targeted advertising.