ShinyHunters swipes right on 10M records in alleged dating app data grab

Steven

ShinyHunters swipes right on 10M records in alleged dating app data grab

Summary

ShinyHunters claims it has stolen more than 10 million records tied to Match Group services, including Hinge, Match.com and OkCupid, and posted a listing on its dark-web leak site. The group points to marketing analytics provider AppsFlyer as the apparent source of the exposure. Match Group says it is investigating a “recently identified security incident,” has terminated unauthorised access, and believes the incident affects a limited amount of user data; it also says it has no indication that login credentials, financial information or private communications were accessed.

Security outlet Cybernews analysed samples and reported personal customer data, some employee details and corporate material in the haul, plus Hinge subscription records (user IDs, transaction IDs, paid amounts), IP addresses and location data. ShinyHunters also claims to have stolen data from Bumble (allegedly 30GB from Google Drive and Slack). This appears linked to a wider campaign in which ShinyHunters abused stolen Okta SSO credentials to target roughly 100 organisations.

Key Points

  1. ShinyHunters claims “over 10 million lines” of data allegedly from Match Group properties (Hinge, Match.com, OkCupid).
  2. The leak listing suggests AppsFlyer — a marketing analytics provider — may have been the source of the exposure.
  3. Match Group confirms an investigation, says unauthorised access was terminated and that sensitive items like passwords and payment details are not believed to have been accessed.
  4. Independent analysis (Cybernews) reported customer personal data, employee details, and Hinge subscription records including transaction IDs, amounts, IPs and location data.
  5. ShinyHunters also claims a separate Bumble data theft (30GB allegedly from Google Drive/Slack); Bumble has not publicly commented.
  6. The activity fits a broader ShinyHunters campaign that has abused stolen Okta SSO credentials to target about 100 organisations.
  7. Highlights the risk of third-party/marketing-analytics data flows and the potential for behavioural data to be exposed even when core credentials aren’t taken.

Why should I read this?

Short answer: because if you or your customers use swipe apps, your personal and subscription info might be circulating without you knowing. It isn’t just about awkward matches — it’s about location data, payment/tracking metadata and employee files ending up on the dark web. Read this so you know whether you should change privacy settings, watch for notifications, or push your vendor to explain what leaked.

Author note

Punchy: this is a big, messy reminder that data collected by analytics partners can be as valuable — and as risky — as core app databases. If you care about privacy or run a service relying on vendor integrations, this one’s worth the detail.

Context and relevance

The incident underlines two ongoing trends: attackers exploiting third-party suppliers and the re-use of stolen SSO credentials to broaden access. Organisations should treat marketing analytics and integrations as part of their attack surface, review vendor access controls, and tighten monitoring for unusual exports. Regulators and users will be watching how quickly affected firms notify and what data categories are confirmed exposed, given potential GDPR and other privacy implications.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2026/01/29/shinyhunters_match_group/