Conservative MPs including Boris Johnson have had their phone numbers and other personal details revealed by the party’s conference app.
A Guardian columnist highlighted the security breach on Twitter and the BBC was also able to access private details of people attending the event.
The Conservative Party apologised for “any concern caused” and said “the technical issue has been resolved”.
The Information Commissioner’s Office said it would be making inquiries.
BBC political correspondent Chris Mason said the technical glitch was “deeply, deeply embarrassing” for the party.
The Guardian’s Dawn Foster, who is attending the conference, tweeted about the security breach and said she had been able to access the former foreign secretary’s personal details, including his mobile phone number.
She shared a redacted picture of Mr Johnson’s profile, which did not reveal his phone number.
It appears that people could access an MP’s personal details by entering their email address, without a password, when pressing the attendee’s button in the app.
This button has since been removed on the app, which was created by Australian firm Crowd Comms.
Conservative Party chairman Brandon Lewis said the app was “now functioning securely” and the party would be “investigating the issue further”.
On Thursday the Evening Standard reported Mr Lewis was set to “unveil the first ‘interactive’ conference app” on Sunday in a bid to overhaul the Conservatives image, and appealing to the younger voter.
Theresa May arrives at #CPC18 in Birmingham – faced with shouts of “have you checked out the conference app?” … the Tories will want a glitch free few days – this data breach is not a good start pic.twitter.com/KLdF37Hrtf
— Rob Powell (@robpowellnews) September 29, 2018
End of Twitter post by @robpowellnews
Prime Minister Theresa May, who was arriving at the conference in Birmingham, ignored questions from reporters about the security blunder.
The Press Association said the details of Environment Secretary Michael Gove had also been shared online.
‘A bumpy start to a bumpy conference’
By Chris Mason, BBC political correspondent, in Birmingham
On the very day Business Secretary Greg Clark expressed concern about Facebook’s security breach, the Conservative Party has had to say sorry for its own.
This conference hasn’t even started yet, but officials are already rattled.
One Conservative source described it to me in very colourful, unbroadcastable terms, in a text message he sent me by accident.
Was this a breach of national security? No. Was it an unforced error the party could do without, and a bumpy start to what was already likely to be a bumpy conference? Yes.
And this may well not be the end of it, with the Information Commissioner’s Office now involved.
Pictures on Twitter show people apparently changing individuals’ profile pictures and leaving messages on the app’s internal messaging system.
One Twitter user posted a snapshot of Mr Gove’s profile picture, which had been changed to a snap of media mogul Rupert Murdoch.
Mr Gove previously worked as a journalist at The Times, one of Mr Murdoch’s papers.
The Information Commissioner’s Office (ICO) said it would be making inquiries about the breach and added that “organisations have a legal duty to keep personal data safe and secure”.
The ICO’s statement added under the EU’s new GDPR regulation, the Conservative Party has 72 hours to notify the regulator of a personal data breach that “could pose a risk to people’s rights and freedoms”.
One of Labour’s shadow cabinet, Jon Trickett, criticised the Conservatives for the breach and said: “How can we trust this Tory government with our country’s security when they can’t even build a conference app that keeps the data of their members, MPs and others attending safe?”
Labour’s grassroots campaign group Momentum said their party’s app had been developed by a team of volunteers, adding: “I’m sure they’d be happy to give the Tories a few tips next year.”
The Conservative Party conference is being held in Birmingham and is due to start on Sunday.