Grindr says "no unauthorized access" detected after alleged data leak surfaces
A handful of alleged Grindr user records just surfaced on a cybercrime forum, putting users at risk of credential stuffing attacks. The company states that there was no "unauthorized access."
-
Alleged Grindr data surfaces on a cybercrime forum. A threat actor is selling what they claim are Grindr user records, including full names, dates of birth, bcrypt password hashes, geolocation data, and device information, with sample timestamps as recent as May 2026.
-
Password hashes open the door to credential stuffing. While bcrypt and SHA256 hashes aren't directly readable, they can be cracked offline, especially when users recycle passwords. Successful cracks could let attackers hijack accounts on other platforms where victims reuse the same credentials.
-
The low price tag hints at a limited dataset, not a full-scale breach. At roughly $400, researchers believe the listing likely reflects a small or narrowly scoped collection, possibly scraped from already-compromised accounts or a third-party provider handling Grindr data rather than a direct platform breach.
-
Grindr spokesperson told Cybernews that the company found no evidence of unauthorized access.
A dataset allegedly containing Grindr user information has surfaced on a cybercrime forum. Attackers alleged that a wide range of sensitive personal and technical data was exfiltrated and is now up for sale.
The threat actor shared 18 sample records to support their claims. Cybernews researchers have reviewed the listing, and according to their observation, the exposed information includes:
- Full names
- Dates of birth
- Usernames
- bcrypt password hashes
- SHA256-hashed phone numbers
- Detailed profile descriptions
- Geolocation data
- Account timestamps
- Device information
Some of the timestamps in the sample data appear to be notably recent, with the newest entries dating back to May 2026. This suggests the dataset may not be purely historical and could include actively or recently generated records.
Our researchers also noted that most email addresses in the sample appear valid, with no immediate indication that similar datasets have been widely circulated elsewhere.
The price tag is too low
The threat actor did not specify the total number of records allegedly included in the dataset. However, the listing is priced at around $400, which researchers suggest may indicate a relatively small or narrowly scoped dataset rather than a large-scale breach.
“This data could’ve been gathered from already compromised accounts, or from some sort of third-party provider that handles Grindr data,” researchers noted.
Password hashes put user accounts at risk
The presence of password hashes significantly increases the potential risk associated with the leak.
Although bcrypt and SHA256 hashes are not directly readable, they can be subjected to offline cracking attempts, particularly when users reuse passwords across multiple platforms.
This creates an additional threat vector beyond the platform itself. If password reuse is successful, attackers could attempt credential stuffing attacks against other online services where affected users may hold accounts.
“Since people still tend to reuse the same passwords in many places, this info could be used in credential stuffing attacks of other services these people might’ve been registered in. Also, there could be an increase in some phishing emails for the affected users,” our researchers explained.
Cybernews has reached out to Grindr for comment. The company's spokesperson said that the company has "found no credible evidence of unauthorized access to or a breach of Grindr's systems."
"Based on our investigation to date, it is not clear that this allegation is legitimate,” the company's spokesperson said.
Dating apps' security loopholes expose users
Dating apps have been a jackpot for threat actors, as they often hold large amounts of users' most private and explicit data, which can be exploited in various fraud and phishing campaigns.
The world’s second most popular dating app, Bumble, recently fell victim to ShinyHunters. Hackers claimed 30GB of Bumble data, which was stolen via a contractor phishing attack targeting Google Drive and Slack. Bumble confirmed the phishing attack but denied that user data was compromised.
Just this week, threat actors posted claims on a cybercrime forum that they were selling Bumble user data. The allegedly stolen data is claimed to include 32 million user records.
Previously, 85,000 user records of the Meet and Chill dating site were leaked on a hacker forum, including private user messages and photos.
Cybernews in-house research revealed that a hookup app, Headero, leaked over 4 million private records, including exact GPS locations, sexual preferences, and explicit chats.
The LGBTQ+ community has also been the target of cyber incidents, with Cybernews researchers uncovering major security flaws that exposed the user data of the iOS app Gay Daddy.
Multiple iOS dating apps used by LGBTQ+, BDSM, and sugar dating communities were found exposing up to 1.5 million user images, including photos shared in private messages, which were left publicly accessible to anyone.
Updated on June 5th [5:00 p.m. GMT+2] with a statement from Grindr.
Unlock more exclusive Cybernews content on YouTube.
