A London-based popular massage-booking app left its online database containing 309,000 customer profiles unsecured, the media reported.
Urban, previously known as Urban Massage, left its Google-hosted ElasticSearch database online without a password.
Among the records were allegations of sexual assault, linked to identifiable individuals, the BBC reported on Wednesday.
The problem was discovered by researcher Oliver Hough, who shared the discovery with news site TechCrunch.
The database also contained more than 2,000 records on Urban massage therapists, including their names, email addresses and phone numbers, according to the TechCrunch report.
But it did not leak any financial information -- such as credit cards or individual account passwords.
Many records also included allegations of sexual misconduct by clients -- such as asking for "massage in genital area" and requesting "sexual services from therapist."
"This data could literally have led to some serious blackmail," Hough wrote on Twitter.
Urban said it took the database offline, and was investigating the issue.