Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Feb 02, 2026 · 5 min read

Dating App Giants Investigate After ShinyHunters Claims 10 Million Records

Bumble and Match Group confirm security incidents as the notorious cybercrime group posts samples of user data and internal documents online.

The two largest players in online dating are investigating cybersecurity incidents after ShinyHunters, a notorious cybercrime group, claimed to have stolen data from both companies. Match Group, which operates Tinder, Hinge, and OkCupid, confirmed that attackers accessed a "limited amount of user data." Bumble acknowledged "brief unauthorized access to a small portion of its network" through a compromised contractor account.

ShinyHunters claims to have stolen 10 million records from Match Group and thousands of internal documents from Bumble, including restricted files from Google Drive and Slack. Security researchers who examined posted samples found they contained personal customer information, employee details, and corporate data.

Smartphone showing dating app with security breach concept overlay

What Data Was Exposed

The scope of the breaches differs between the two companies. At Match Group, ShinyHunters claims to have obtained 10 million records from services including Tinder, Hinge, and OkCupid. Researchers who verified samples found one Hinge dataset containing roughly 100 records of matched users' profile information, including names and biographical descriptions.

At Bumble, the attackers appear to have focused on internal corporate data rather than user information. The posted samples include thousands of documents marked restricted or confidential from the company's Google Drive and Slack systems.

Both companies emphasized that core user data remained unaffected. Bumble stated there was "no impact to member database, accounts, or private messages." Match indicated "no indication that login credentials, financial information or private communications were accessed."

Who Is ShinyHunters

ShinyHunters is a financially motivated cybercrime group that has been active since at least 2020. The FBI has previously warned that the group targets major companies across multiple sectors, including insurance, retail, and aviation, and extorts organizations after stealing data.

The group is known for:

  • Targeting cloud infrastructure and contractor accounts
  • Selling stolen data on dark web marketplaces
  • Demanding ransom payments to prevent data publication
  • High profile breaches at Microsoft, Tokopedia, and Pixlr

The group typically exploits phishing attacks to compromise employee or contractor credentials, then moves laterally through cloud systems to access sensitive data. This matches Bumble's description of their incident starting with a contractor's compromised account.

Why Dating App Data Is Valuable

Dating app data is particularly sensitive because it can reveal information users may not want exposed. Profile information often includes:

  • Sexual orientation and relationship preferences
  • Religious and political beliefs
  • Location data and movement patterns
  • Personal photographs and conversations
  • Real names linked to dating profiles

This data can be used for blackmail, sextortion, stalking, and targeted phishing attacks. In some countries, exposure of certain dating app activity could lead to legal consequences or social harm for users.

The Contractor Vulnerability

Bumble's disclosure that the breach originated from a phished contractor account highlights a persistent vulnerability in enterprise security. Third party contractors often have access to internal systems but may not be subject to the same security training and monitoring as full time employees.

This pattern has repeated across major breaches. Attackers know that targeting the supply chain is often easier than attacking a company directly. A contractor with access to Google Drive and Slack can be as valuable a target as a senior employee.

For organizations, this means security assessments must extend to anyone with system access, not just employees. For users, it means that even companies with strong internal security can be compromised through their extended network of partners and contractors.

What Users Should Do

If you use Tinder, Hinge, OkCupid, Bumble, or related apps, take these precautions:

  • Change your password and enable two factor authentication if available
  • Review your profile for any information you would not want exposed publicly
  • Consider removing photos that could be used to identify you elsewhere online
  • Be alert for phishing messages that reference your dating activity
  • Check if your email appears in breach databases using services like Have I Been Pwned

Both companies claim that private messages and login credentials were not accessed. However, until independent verification is complete, it is prudent to assume some data may have been compromised. Attackers often have more data than they initially post as samples.

The Bigger Picture

These incidents come as dating apps face increasing scrutiny over their data practices. Users trust these platforms with highly personal information, yet breaches continue to expose how vulnerable that data remains. The concentration of the dating app market, with Match Group controlling most major apps, means a single breach can affect users across multiple services.

ShinyHunters' continued activity also demonstrates the limits of law enforcement against cybercrime groups. Despite FBI warnings and ongoing investigations, the group continues to successfully target major corporations. Until the economics of cybercrime change, users should assume their data will eventually be compromised and limit what they share accordingly.