Gay dating app Jack'd will pay $240,000 (£189,000) after exposing members' private intimate photos publicly on the internet.
Anyone with a web browser who knew where to look could access millions of private photos, even if they did not have a Jack'd account.
New York Attorney General Letitia James said the app invaded users' privacy.
Online Buddies, which owns the app, failed to fix the problem for a year after being warned by a researcher.
Cyber-security researcher Oliver Hough reported the flaw to Jack'd in February 2018 but the company only implemented a fix in February 2019.
Ms James said: "The app put users' sensitive information and private photos at risk of exposure and the company didn't do anything about if for a full year just so that they could continue to make a profit."
The attorney general said she had reached a settlement with Online Buddies, which will pay the $240,000 to New York state.
It has also promised to implement a "comprehensive security programme" to protect its users.
Jack'd has been downloaded more than five million times on the Google Play app store.
It lets members add "private" photos to their profile, which should be visible to only specific people they have chosen to share them with.
However, researcher Oliver Hough found that all the photos shared in the app were uploaded to the same open web server, leaving them exposed.
In February, BBC News saw evidence that private photos were still available on the web.
"They acknowledged my report but then just went silent and did nothing," Mr Hough told BBC News.
"A journalist contacted them in November and they did the same."
The company has not responded to a BBC request for comment.