ocupid data hacker forum — Image by Cybernews.

Attackers claim that they gained “privileged access” to the dating site, which allowed them to steal personal information from every single user on the OkCupid platform. While the data sample points to real users, researchers aren’t sure about the true extent of the alleged data breach. The company says the attacker claims are factually inaccurate.

Hackers claim they accessed OkCupid's internal API and stole personal data from all 35 million platform users.
The limited sample includes dating profiles, personally identifiable information, and bcrypt password hashes from legitimate OkCupid accounts.
Researchers cannot verify the full scale of the breach and suspect data may be aggregated from previous incidents.
OkCupid says the claims are inaccurate and that the company doesn't even store information attackers claim they stole.

Key Takeaways by nexos.ai, reviewed by Cybernews staff.

The alleged details stolen from OkCupid appeared on a popular data leak forum used by cybercriminals to trade stolen data. The post’s authors claim they managed to wiggle their way into OkCupid’s system and steal information on millions of users of the US-based dating site.

“Some colleagues and I gained privileged access to OkCupid’s internal API, which allowed us to scrape the personal (registration) information of all the app’s users,” reads the attackers’ post.

In essence, the attackers claim they managed to get into OkCupid’s back-end system and copy everything they found there. OkCupid says it has over 30 million users, corresponding to attackers’ claims that they accessed 35 million users’ records.

Meanwhile, OkCupid told Cybernews the attacker claims “actually inaccurate.”

“The sample includes details that OkCupid does not collect or store, and the information provided does not match actual OkCupid account records. We have found no evidence of a breach of OkCupid systems related to these claims,” OkCupid spokesperon explained.

okcupid data leak post — Attackers' post on a data leak forum. Image by Cybernews.

What’s inside the alleged OkCupid data leak?

The Cybernews research team investigated the attackers’ claims, noting the post’s authors attached a limited data sample to the alleged data leak. According to the team, the sample included only 8 sample records, which reveal:

Detailed dating profile information
Personally identifiable information (PII)
Bcrypt password hashes

“All of the emails included in the data sample appear to be legitimate. We can confirm that they appeared in previous data breaches involving other services. However, we cannot confirm that the leak includes 35 million users,” our team explained.

If the attackers are telling the truth, they may have gained “privileged access” after compromising an account owned by an OkCupid developer or a database administrator. Another point of entry may have been the API itself, but there’s no way to reliably check such claims.

“Since there’s no way to uncover how the information was obtained, we remain skeptical about the attacker's claims. Moreover, since all of the emails in the sample appeared in data breaches before, this could just be aggregated data from previous incidents,” the researchers explained.

Why is exposing dating profile data dangerous?

Few online platforms demand more data protection than dating sites. For one, attackers can use stolen dating profile information to impersonate individuals on other dating services, in essence stealing users’ identities.

More damningly, malicious actors may try to focus on LGBTQ+ individuals who live in territories where sexual openness is not tolerated, or users themselves are not open about their sexuality.

Strong password generator

Upgrade the security of your online accounts.

Create strong passwords that are completely random and impossible to guess.

Convenient way to secure and use all your passwords. Now 72% OFF!

Get NordPass

Armed with this type of information, attackers may attempt to blackmail individuals, demanding payment to keep the information private.

Users may also face an increased risk of phishing emails and credential-stuffing attacks, as malicious actors may focus on decrypting bcrypt hashes to access user passwords. While it’s unlikely a strong password would crack, an easy password would crack more quickly.

Dating app data leaks are not uncommon

Despite the sensitive nature of the information that dating apps store, data leaks involving such services are not uncommon. For example, last year, Cybernews revealed that a hookup app, Headero, leaked over 4 million records, including exact GPS locations, sexual preferences, and explicit chats.

The LGBTQ+ community has also been the target of cyber incidents, with our researchers uncovering major security flaws that exposed the user data of the iOS app Gay Daddy.

Don't miss our latest stories on Google News. Add us as your Preferred Source on Google

Multiple iOS dating apps used by LGBTQ+, BDSM, and sugar dating communities were found exposing up to 1.5 million user images, including photos shared in private messages, which were left publicly accessible to anyone.

Meanwhile, hackers don’t shy away from bold claims about breaching popular dating apps. In early June, we wrote about claims by an attacker of an alleged Bumble data leak involving info on 32 million users.

The same week, another group of hackers claimed they had gained access to Grindr user records. However, Grind told Cybernews that there was no “unauthorized access.”