Dating-app giants investigate incidents after cybercriminals claim to steal data

Dating app companies Bumble and Match Group recently responded to cybersecurity incidents that have been claimed by a well-known cybercrime group.

Bumble said it contacted law enforcement after a contractor’s account was compromised in a phishing attack, resulting in what it described as brief unauthorized access to a small portion of its network.

The company’s spokesperson told Bloomberg that the access had since been terminated and did not affect its member database, user accounts, the Bumble application, private messages or dating profiles.

Match confirmed to Bloomberg earlier this week that it had experienced a cybersecurity incident involving a limited amount of user data and said it was notifying affected customers. A company spokesperson said there was no indication that login credentials, financial information or private communications were accessed.

Bumble and Match did not respond to requests for comment from Recorded Future News.

The ShinyHunters cybercrime group reportedly leaked thousands of internal Bumble documents, including files marked restricted or confidential, which they said were sourced primarily from Google Drive and Slack.

ShinyHunters also claimed to have accessed 10 million records belonging to Match, which operates dating services including Tinder, Hinge and OkCupid. The group posted the claims on its dark web leak site.

Researchers at Cybernews said they reviewed data samples attached to ShinyHunters’ post and found they included personal customer information, some employee details and internal corporate data.

One sample linked to the Hinge dating app contained documents listing matches, along with roughly 100 records of matched users’ profile information, including names and biographical descriptions, the researchers said. Other files included lists of dating profiles and logs of profile changes, though some records did not clearly identify which app they belonged to and contained duplicated or test data.

ShinyHunters is a financially motivated threat actor known for high-impact campaigns targeting major companies in the insurance, retail and aviation sectors.

Earlier in September, the FBI warned that hackers linked to ShinyHunters were extorting organizations for large ransoms after stealing data from cloud software provider Salesforce. The group has also recently claimed an attack on data analytics firm Mixpanel, which it said allowed access to platforms such as Pornhub.

Dating apps have increasingly become targets for cybercriminals due to the sensitive personal data they hold.

In July, Tea — an app that allows women to anonymously review dates — said hackers accessed about 72,000 user images, including selfies submitted for identity verification. In September, Brazilian dating app Sapphos shut down after users discovered a flaw that reportedly exposed sensitive personal data.