Hinge and OkCupid data leak: 10M records claimed by ShinyHunters

Dating apps suffer an alleged data leak — Image by Cybernews.

The alleged attack targets Tinder-owner Match Group's dating apps. The attackers claim they have millions of records, with the data sample revealing user IDs, transactions, IP addresses, and other sensitive information. Match Group says the company is investigating the attacker claims while AppsFlyer denied any involvement in the alleged incident.

ShinyHunters claim to possess over 10M records from Hinge, Match, and OkCupid dating platforms.
Leaked data samples include user IDs, transaction details, IP addresses, dating profiles, and internal corporate documents.
Attackers imply that the breach originated from AppsFlyer, a mobile marketing analytics platform.
Dating app data leaks enable targeted fraud campaigns and scams using personal profile information to manipulate victims psychologically.

Key Takeaways by nexos.ai, reviewed by Cybernews staff.

The attack was announced by the ShinyHunters cybercrime gang, who posted the claim on its dark web leak site. Like many ransomware gangs, ShinyHunters use a dark web forum to showcase its latest victims.

“Over 10 million records of Hinge, Match, and OkCupid usage data from Appsflyer and hundreds of internal documents,” the attackers claim on their blog.

According to the post, the stolen details include 1.7GB of compressed data. The wording of the post implies that data comes from AppsFlyer, a popular mobile marketing analytics and attribution platform.

Hinge, Match.com, and OkCupid are all owned and operated by Match Group, a major US tech company that focuses on dating apps. Other platforms in its portfolio include Tinder and Plenty of Fish. However, the attackers don’t mention accessing data from these two apps.

“We continue to investigate with the assistance of external cybersecurity experts. There is no indication that user log-in credentials, financial information, or private communications were accessed. We believe the incident affects a limited amount of user data, and we are already in the process of notifying individuals, as appropriate,”
Match Group explained.

Match Group told Cybernews that the company is aware of the online claims and is currently investigating the issue with external help. The company says that preliminary findings indicate that no financial data or login data was accessed.

“We are aware of claims being made online related to a recently identified security incident. Match Group takes the safety and security of our users seriously and acted quickly to terminate the unauthorized access,” Match Group's spokesperson explained.

“We continue to investigate with the assistance of external cybersecurity experts. There is no indication that user log-in credentials, financial information, or private communications were accessed. We believe the incident affects a limited amount of user data, and we are already in the process of notifying individuals, as appropriate.”

Meanwhile, AppsFlyer explained to Cybernews that the incident “did not originate from AppsFlyer, nor did it involve a data breach, security incident, or compromise of AppsFlyer’s systems.”

“Any suggestion that AppsFlyer was the source of the incident, or that data was exposed due to a compromise of AppsFlyer’s systems, is misleading and inaccurate, and may be damaging to AppsFlyer,” the company's representative said in an email.

Attackers post — ShinyHunters post on the dark web. Image by Cybernews.

What dating apps data was leaked?

The Cybernews research team investigated the data sample that ShinyHunters attached to its post. According to the team, the attackers uploaded a collection of samples that includes personal customer data, some employee details, and corporate information.

For example, a sample collection covering the Hinge dating app includes documents listing Hinge matches, as well as around 100 records of the matched accounts' dating profile information, such as names and bios.

There’s also data on Hinge subscription data, such as:

User IDs
Transaction IDs
Amounts paid
Blocked Hinge installs with IP addresses and locations

The transaction data most likely refers to users paying for additional services on the app, such as additional likes, broader access to user profiles and other information.

“The sample includes lists of dating profiles, logs of profile changes, but some documents do not indicate which dating app the records belong to. Many fields are filled with testing data and duplication. However, phone numbers and auth tokens are present as well and did not duplicate,” our researchers shared.

Dating apps data leak sample — Sample of the supposedly leaked data. Image by Cybernews.

Our team noticed that the exposed details also include documents that appear to come from Vividi, a video-chat-based dating app catering to Indian audiences. The exposed documents, our team notes, include in-app purchase records.

While these records contain identifiers, the team believes they don’t reveal much personal information about the users.

Other sample datasets reveal OkCupid’s documents with what looks like information on the app's debugging process. The team also witnessed lists of employee emails, internal company documents, such as contracts between company partners.

How dangerous are dating apps data leaks?

The data samples included on the ShinyHunters dark web leak site are not huge, the team noted. However, the attackers likely have access to a larger dataset. So far, the dating apps data leak remains unconfirmed.

In theory, this type of leak could have serious consequences for both, the brands involved and users who had their details exposed. From a business perspective, data breaches impact user trust, which is especially important for dating apps, dealing in extremely sensitive user data.

“The data leak could have a noticeable impact on the users involved. Dating profile information can be used to craft personally catered fraud campaigns and scams that may have a stronger psychological effect than an average phishing email,” our team explained.

Despite handling arguably the most sensitive user details, dating apps are far from being immune to hacker attacks, data breaches and data leaks. Last year, our researchers discovered that BDSM, LGBTQ+, and sugar dating apps exposed users' private images, with some of them even leaking photos shared in private messages.

Meanwhile, last July Tea Dating Advice, the “secure” platform for women to share sensitive information about their dates, leaked personally identifiable information (PII) on several thousands of its users.

Recently, an investigative journalist managed to infiltrate a white supremacist dating website WhiteDate and succeeded in exfiltrating over 8,000 profiles and 100GB of data, due to lax security employed by the website.

ShinyHunters ramping up

ShinyHunters is among the most aggressive cybergangs currently operating. The cybercrime collective was previously linked to multiple high-profile breaches and large-scale data theft campaigns, including last year’s Salesforce CRM data heist.

The cyberattack on Salesforce enabled numerous large-scale data thefts across hundreds of organizations, including big names ranging from Jaguar Land Rover to Google.

Don't miss our latest stories on Google News. Add us as your Preferred Source on Google

The gang has been particularly active over the last few months, targeting anyone from online audio streaming platform Soundcloud to predictive private company intelligence platform Crunchbase.

Some reports claim that ShinyHunters is behind an active voice phishing campaign, aimed at stealing single sign-on (SSO) credentials for Okta, Microsoft, and Google accounts.

Was my Hinge or OkCupid password stolen?

Based on the analyzed samples, the leak does not appear to contain user passwords. However, researchers found authentication tokens, phone numbers, illegal names, and User IDs. While your password may be safe, authentication tokens can sometimes be used to bypass login screens, so logging out and resetting credentials could still be useful.

Which dating apps were affected by the alleged breach?

The attackers claim to have data from Hinge, OkCupid, and Match.com. The leaked documents also suggest data from Vividi, a video-chat dating app. Notably, the attackers did not mention accessing data from Tinder or Plenty of Fish, despite those apps being owned by the same parent company, Match Group.

What specific user data was exposed in the breach?

The data samples include sensitive account details such as transaction IDs (payments for premium features), IP addresses, geographic locations, and full names. For Hinge specifically, the leak contains records of matches and dating profile text (bios), which could be used to identify users IRL (in real life) or for targeted phishing scams.

How did the hackers access the data?

So far, the attack is not confirmed. However, ShinyHunters imply the data was stolen via AppsFlyer, a third-party mobile marketing and analytics platform. This suggests a "supply chain" attack where the direct servers of the dating apps may not have been breached, but the data sent to their analytics partner was compromised.

Is there a risk of blackmail or fraud?

If the leak is confirmed, yes. Exposing dating history and profile data allows cybercriminals to craft highly personalized scams. Because the leak includes transaction data and names, attackers could send convincing phishing emails targeting users' financial information or threaten to expose their dating activity to family or employers.

Updated on January 29th [12:45 p.m. GMT] with a statement from AppsFlyer.

Updated on January 28th [02:45 p.m. GMT] with a statement from Match Group.

Unlock more exclusive Cybernews content on YouTube.

Share

Post