TL;DR: On January 29, 2026, ShinyHunters claimed it stole over 10 million records from Match Group's dating apps (Hinge, Tinder, OkCupid, Match.com, and Meetic) by compromising an Okta SSO account that gave them access to AppsFlyer marketing analytics data. Separately, they hit Bumble through a vishing attack on a contractor, grabbing 30GB of internal files from Google Drive and Slack. Dating profile behavioral data, internal company documents, and limited user PII are now circulating on dark web markets. If you've used any of these apps, your swipe habits, match data, and profile information may be exposed.

Match Group: 10 Million Records Across Five Apps

ShinyHunters posted 1.7GB of compressed files on their extortion site on January 29, claiming "over 10 million records of Hinge, Match, and OkCupid usage data from AppsFlyer and hundreds of internal documents."

The stolen data spans five dating platforms under the Match Group umbrella:

  • Hinge: profile information, matched users' names and bios, match logs, profile change histories
  • Tinder: usage and tracking data via AppsFlyer analytics
  • OkCupid: user activity records and marketing analytics
  • Match.com: subscription data including user IDs, transaction IDs, payment amounts
  • Meetic: European dating service data

Data samples verified by researchers included approximately 100 Hinge profiles with full names, biographical descriptions, blocked installation records, IP addresses, and location data.

Match Group acknowledged the breach in a statement: "We are aware of claims being made online related to a recently identified security incident" and confirmed they "acted quickly to terminate the unauthorized access."

The company insists "there is no indication that user login credentials, financial information, or private communications were accessed." Maybe. But behavioral data (who you matched with, when you swiped, where you logged in from) is its own kind of exposure.

How They Got Into Match Group

ShinyHunters didn't hack Match Group directly. They went through the side door.

  1. Compromised an employee's Okta Single Sign-On account using a phishing domain: "matchinternal.com"
  2. Used the SSO credentials to access Match Group's AppsFlyer marketing analytics instance
  3. AppsFlyer contained aggregated user data from all five dating platforms
  4. Pulled 10 million records of user activity, tracking data, and internal documents

ShinyHunters initially claimed they also accessed Google Drive and Dropbox files. Match Group disputed this, stating "based on our investigation Google Drive and Dropbox files were not accessed." Whether that holds up remains to be seen. ShinyHunters has a track record of posting receipts.

This is the same Okta SSO exploitation technique ShinyHunters used in their campaign against 100+ companies earlier in January 2026. They've turned third-party identity platforms into skeleton keys.

Bumble: 30GB via a Single Contractor

Bumble got hit separately. ShinyHunters uploaded 30GB of compressed files they claimed came from Bumble's Google Drive and Slack.

A Bumble spokesperson confirmed the incident: "One of our contractor's accounts was recently compromised in a phishing incident. The account had limited access privileges."

The leaked files (thousands of internal documents marked "restricted" or "confidential") include:

  • Policy reviews and legal contracts
  • Invoices and partner agreements
  • User engagement analysis reports
  • Employee onboarding guides
  • Candidate CVs with personal information and employment histories
  • Bumble Hives group data

Bumble maintains "there was no access to our member database, member accounts, the Bumble application, or member direct messages or profiles."

The attack method? Vishing. Voice phishing. Someone called a contractor pretending to be IT support and talked them into handing over credentials. That's it. That's how you breach a billion-dollar dating company.

The Vishing Playbook

ShinyHunters has turned voice phishing into an industrial process. Here's how it works across their dating app attacks:

  1. Identify targets through LinkedIn: contractors and support staff with SSO access
  2. Call them directly, impersonating IT support or an identity vendor
  3. Create urgency: "Your account has been flagged" or "We need to verify your credentials immediately"
  4. Direct them to phishing pages that look identical to real SSO portals (like "matchinternal.com")
  5. Capture credentials in real-time using man-in-the-middle infrastructure
  6. Prompt the victim to approve MFA push notifications

They even used voice-cloning technology across multiple targets. An AI that sounds like your IT director telling you to reset your password. Try saying no to that.

Push notification MFA gets bypassed every time. The victim thinks they're verifying their own login attempt. They're actually approving the attacker's.

Why Dating App Breaches Hit Different

A leaked email address from a retail breach is annoying. A leaked dating profile is potentially life-altering.

Dating app data reveals:

  • Sexual orientation: outed without consent
  • Relationship status: evidence of infidelity
  • Location patterns: where you've been swiping
  • Behavioral data: who you matched with, how long you talked
  • Personal preferences: answers to intimate profile questions

This data has already been weaponized before. After the 2015 Ashley Madison breach, victims faced blackmail, public shaming, job losses, and at least two suicides were linked to the exposure. The 2020 Grindr breach that exposed users' HIV status to data brokers led to a $7.2 million fine under GDPR.

Match Group says no private messages were accessed. But the behavioral metadata (who matched with whom, when, where) tells its own story. Enough of a story to blackmail someone. Enough to destroy a marriage. Enough to out a closeted person in a hostile environment.

ShinyHunters' January 2026 Rampage

Bumble and Match Group weren't isolated hits. ShinyHunters went on a tear in January 2026:

They're burning through major companies at a rate that makes them the most prolific data thieves of 2026 so far. And the playbook is always the same: compromise SSO credentials, pivot to cloud platforms, grab everything, extort, publish. The same group weaponized a Salesforce security tool to breach 400 companies using a near-identical approach.

What to Do If You Use These Apps

Change Your Passwords Now

Match Group says credentials weren't stolen. Don't trust that. Change passwords for Hinge, Tinder, OkCupid, Match.com, Bumble, and any accounts that share those passwords.

Check Your Profile Data

Review what personal info is in your dating profiles. Remove anything you wouldn't want public: real name, workplace, schools, neighborhood details.

Watch for Sextortion

Scammers buy stolen dating data and use it for targeted extortion. If someone contacts you threatening to reveal your dating activity, don't pay. Report it to the FBI's IC3.

Use Unique Email Addresses

Going forward, use email aliases (Apple Hide My Email, SimpleLogin, or Proton Mail aliases) for dating apps. Compartmentalize your identity.

If you're in a situation where exposure of your dating activity could put you in danger (abusive relationships, hostile work environments, regions where certain orientations are criminalized), take this seriously. Consider deleting your accounts and starting fresh with a privacy-focused approach.

The Real Problem

Two billion-dollar companies that hold the most intimate data imaginable (who you're attracted to, who you've matched with, what you've told potential partners about yourself) got breached because someone answered a phone call.

Match Group got hit through their marketing analytics provider. They were feeding user data to AppsFlyer for ad tracking, and that pipeline became the extraction point. Bumble got hit through a contractor who fell for a vishing call.

Neither company was hacked in the traditional sense. Nobody exploited a zero-day. Nobody broke through a firewall. A phone rang, someone picked up, and 10 million people's dating lives became public property.

Security experts recommend implementing phishing-resistant multi-factor authentication: FIDO2 hardware keys or passkeys, not push notifications. The dating apps still use the kind of MFA that ShinyHunters bypass in their sleep.

References

  1. The Record - Dating-app giants investigate incidents after cybercriminals claim to steal data (January 29, 2026)
  2. BleepingComputer - Match Group breach exposes data from Hinge, Tinder, OkCupid, and Match (January 29, 2026)
  3. The Register - ShinyHunters claims it stole 10M records from dating apps (January 29, 2026)
  4. Malwarebytes - Match, Hinge, OkCupid, and Panera Bread breached by ransomware group (January 2026)
  5. SC Media - Bumble data allegedly swiped by ShinyHunters (January 2026)
  6. Cybernews - Bumble Hives group data found in ShinyHunters leak (February 2026)