32M Bumble users’ data leaked online, hackers claim
Millions of alleged user records from the popular dating app Bumble have been posted on a data leak forum. While a group is claiming responsibility for the attack, which exposed personal data, our team is not convinced the cybercrooks are telling the truth.
-
Hackers claim to have leaked personal data from 32 million Bumble dating app users on a cybercrime forum.
-
Cybernews researchers express skepticism due to small data samples, suspicious seller profile, and low asking price.
-
Allegedly exposed data includes emails, bcrypt password hashes, names, birth dates, employment, location, and political beliefs.
-
If legitimate, the leak could enable phishing attacks, identity theft, credential stuffing, and personalized social engineering scams.
Attackers posted the Bumble data leak announcement on a popular data leak forum, typically used to share stolen user details. According to the post, the dataset includes “fresh” information on 32 million Bumble users.
Bumble, a popular dating platform with hundreds of millions of downloads on Google Play Store, has over 40 million active users, indicating that the claimed Bumble data leak, if true, exposed nearly all of the app’s users.
We have reached out to Bumble for comment and will update this article once we receive a reply.
Bumble data leak: What do the attackers claim?
According to the attackers’ post, the dataset reveals personally identifiable information (PII) of over 32 million users of the dating app. The allegedly exposed details include:
- Email addresses
- Authentication data
- Full names
- Dates of birth
- Employment information
- Education
- Location
- Habits
- Political and religious beliefs
- Linked Instagram or Spotify accounts
Meanwhile, our research team investigated the attackers’ claims, noting that the post’s author included 27 sample records, a far cry from the alleged 32 million Bumble users’ data claims. However, the sample did reveal details that the malicious actors described in the data leak forum post.
While most of the data points contain personal information, one detail could prove more damaging – the data sample included bcrypt hashes. However, according to the team, the sample is too small to make far-reaching conclusions.
“The data sample did include so-called bcrypt hashes, which could lead to users’ passwords getting exposed. However, they were marked as auth, which could mean that the data point either relates to passwords or sessions tokens. It’s just not clear, based on the sample,” our team explained.
The team was skeptical of the alleged Bumble data leak, noting that it's impossible to verify how many users were exposed, as the malicious actors only revealed 27 records.
Moreover, the attackers’ data leak forum profile was recently created, which is often an indication of a throwaway account. Another red flag is the relatively low price for the dataset, which allegedly includes nearly all Bumble users.
“At first, we thought the attacker may be attempting to sell data revealed in ShinyHunters’ Bumble attack. However, the dataset ShinyHunters shared mostly contained company documents, rather than user information,” the team said.
The Cybernews community is talking about this. Be a part of the conversation.
Earlier this year, ShinyHunters added the popular dating app Bumble to its latest victims, claiming that most of the data was taken from cloud services the company uses. The leaked data included a list of Bumble groups, called Hives.
To test whether the emails shared in the alleged Bumble data leak sample were generated by AI tools, the team checked whether they were included in previous data breaches, finding that the email addresses appear to be legitimate.
If the Bumble data leak is confirmed, it would increase cybersecurity risks for exposed individuals. For one, threat actors could use the data for targeted social engineering attacks, such as phishing and impersonation.
Check if your data has been leaked
Cybercrooks may also use dating profile data, including personal interests, names, and habits, to construct detailed identity profiles that can be exploited for highly personalized scams. For example, attackers can craft messages that trigger victims’ interests and coax them into downloading malware.
“Most concerning, however, are the bcrypt hashes. If they represent passwords and if they have not been rotated, this type of data can be used for credential stuffing attacks,” our researchers explained.
Hackers love targeting dating apps
Few online services demand more privacy than dating apps, something that threat actors are fully aware of. Stealing highly personal information may reap juicy benefits, which places a massive target on dating service providers’ backs.
Earlier this year, attackers claimed they had obtained millions of records stolen from the Tinder-owner March Group’s dating apps, with the data sample revealing user IDs, transactions, IP addresses, and other sensitive information.
At the same time, investigators infiltrated the white supremacist dating website WhiteDate and exfiltrated over 8,000 profiles and 100GB of data. Photos and other sensitive details were made public.
In 2025, the Tea app, also known as Tea Dating Advice, which allows women to share their dating experiences and conduct background checks on men they’re seeing, was hacked, exposing users’ personal data, uploaded selfies, and IDs.
Unlock more exclusive Cybernews content on YouTube.
