ShinyHunters Leaks 10M Records from Tinder, Hinge, OkCupid

Match Group, the company behind Tinder, Hinge, OkCupid, and Match.com, confirmed a data breach after the ShinyHunters threat group leaked 1.7 GB of compressed files containing approximately 10 million user records. The attackers didn't exploit a technical vulnerability—they called someone on the phone.

The breach surfaced on BreachForums on January 27, 2026, when ShinyHunters posted what they claimed was data from multiple Match Group dating platforms. Match Group acknowledged the incident two days later, stating that hackers had stolen "a limited amount of user data" through unauthorized access to internal systems.

What Happened

ShinyHunters compromised Match Group through voice phishing—a social engineering attack where attackers impersonate IT support or other trusted parties over the phone. They targeted employees with access to Okta single sign-on (SSO) accounts, eventually convincing someone to provide credentials or approve a malicious authentication request.

Once inside the SSO environment, attackers pivoted to Match Group's AppsFlyer instance—a marketing analytics platform that tracks user acquisition and advertising attribution across apps. AppsFlyer held the user data that ultimately ended up on the dark web.

Security researchers identified a phishing domain at matchinternal.com that appeared connected to the campaign. The domain mimicked Match Group's internal systems, likely serving as a landing page for credential harvesting or as a callback number for vishing calls.

This attack pattern mirrors techniques ShinyHunters and other groups have used recently. We covered a similar SSO-targeting vishing campaign in January that hit Crunchbase and Betterment using nearly identical methods.

What Data Was Exposed

The leaked dataset contains user records from Hinge, Match.com, and OkCupid. Match Group's investigation found the exposed data included:

• Unique advertising identifiers (device IDs used for ad targeting)
• Internal corporate documents
• Financial invoices and receipts
• User tracking data from marketing systems

Match Group stated that login credentials, financial information, and private messages were not accessed during the breach. The company disputed ShinyHunters' claims that Google Drive and Dropbox cloud storage were compromised.

That said, advertising IDs can be sensitive. These identifiers track user behavior across apps and can potentially be cross-referenced with other datasets to deanonymize individuals. For users of dating apps—where privacy is particularly important—any data exposure carries real risk.

ShinyHunters: A Repeat Offender

ShinyHunters has been responsible for some of the largest data breaches of recent years. The collective targets high-value organizations, steals data, and monetizes it through extortion and dark web sales. Their portfolio includes attacks on Microsoft, Tokopedia, Wishbone, and dozens of other companies.

The group favors credential theft and SSO compromise over technical exploitation. Why spend time finding zero-days when you can just ask someone for their password? Vishing attacks exploit the human element—employees who want to be helpful, who don't want to inconvenience a caller claiming to be from IT. For a deeper understanding of how phishing attacks work and how to spot them, see our guide on phishing types and prevention.

Match Group joins a growing list of companies that learned this lesson the hard way. Multi-factor authentication helps, but it's not bulletproof when attackers can convince users to approve push notifications or read back one-time codes.

Match Group's Response

A company spokesperson said Match Group "takes the safety and security of our users seriously and acted quickly to terminate the unauthorized access." The organization launched an investigation with external cybersecurity experts and began notifying affected individuals.

Match Group operates in a particularly sensitive space. Dating apps collect information that users might not want publicly associated with them—relationship status, sexual orientation, personal preferences, location data. Even "limited" breaches can have outsized impact when the underlying data is inherently private.

Users of Tinder, Hinge, OkCupid, and Match.com should watch for targeted phishing attempts that leverage leaked information. If attackers know you use a specific dating app, they can craft convincing lures referencing your account. These secondary attacks are common after major breaches—the recent MongoDB exposure showed how quickly attackers weaponize leaked data for follow-on campaigns.

Protecting Against Vishing Attacks

The Match Group breach highlights how social engineering remains one of the most effective attack vectors. Organizations can deploy all the technical controls they want, but a well-crafted phone call can bypass them.

Defensive measures that help:

1. Out-of-band verification - When someone calls claiming to be IT support, hang up and call back using a known-good number from the company directory
2. Phishing-resistant MFA - Hardware security keys and passkeys resist the credential theft techniques vishing attackers rely on
3. Employee training - Regular awareness programs that specifically cover voice phishing scenarios, not just email-based attacks
4. SSO monitoring - Alert on unusual authentication patterns, new device enrollments, or access from unexpected locations

The technical defenses matter, but so does building a culture where employees feel comfortable pushing back on unusual requests—even from people who sound authoritative and impatient.

Frequently Asked Questions

Should I delete my dating app accounts? That's a personal decision. The leaked data doesn't appear to include passwords or messages, but advertising IDs and tracking data could potentially be linked to real identities. If you're concerned about privacy, review what information your dating profiles contain and consider whether you're comfortable with that data being exposed.

How do I know if my data was in this breach? Match Group said it would notify affected users. Watch for communications from the company and be skeptical of any emails asking you to click links or provide credentials—attackers often exploit breach announcements with follow-on phishing campaigns.