Major Dating Apps Hacked: Hinge, Tinder, OkCupid Data Exposed

A significant cybersecurity breach has impacted several of the world’s most popular dating platforms, including Hinge, Tinder, and OkCupid. The parent company, Match Group, confirmed unauthorized access to its systems, leading to the theft of user data. This incident is linked to a widespread phishing campaign targeting corporate login systems, underscoring the persistent threat of social engineering attacks against even the largest technology firms.

The company acknowledged the security event after the hacking group known as ShinyHunters leaked a substantial cache of compressed files. These files are reported to contain millions of user records from Hinge, Match.com, and OkCupid, alongside various internal corporate documents. In an official statement, a Match Group spokesperson emphasized that user safety is a top priority and that the company moved swiftly to cut off the illicit access.

An ongoing investigation, supported by external cybersecurity experts, has so far found no evidence that the attackers obtained user passwords, financial details, or private messages. Match Group maintains that only a limited subset of data was affected and that it has begun the process of notifying impacted individuals. With an active user base exceeding 80 million people, the scale of this breach highlights the vast amount of personal information managed by digital dating services.

This attack forms part of a broader and sophisticated phishing operation aimed at high-value organizations. Threat actors have been focusing on single sign-on accounts at major providers like Okta, Microsoft, and Google. In this specific case, the perpetrator gained entry by compromising an Okta SSO account. This access allowed them to infiltrate Match Group’s marketing analytics platform and cloud storage accounts on Google Drive and Dropbox.

The attack method relied on a deceptive domain designed to mimic an internal company portal, tricking employees into surrendering their credentials. While the leaked data reportedly includes some personally identifiable information, analysts indicate that a large portion consists of marketing and tracking data. This distinction, however, does little to mitigate the overall privacy concerns raised by the breach.

Security professionals stress that defending against such socially engineered attacks requires moving beyond traditional multi-factor authentication. Experts strongly advocate for the adoption of phishing-resistant authentication methods, such as FIDO2 security keys or passkeys. These technologies provide a much higher level of security compared to SMS codes or push notifications, which can be intercepted or manipulated by attackers.

Additional protective measures include implementing strict application authorization policies and continuously monitoring system logs for any unusual API activity or unauthorized device registrations. Companies are also advised to configure network access controls that block connections from anonymizing services often used by threat actors, thereby limiting potential entry points.

Some forward-thinking financial institutions are piloting innovative verification techniques, such as live caller checks within official mobile apps, allowing users to confirm the identity of someone contacting them by phone. As cybercriminals refine their tactics, the need for robust, user-centric security protocols becomes increasingly critical for all organizations handling sensitive personal data.

(Source: Bleeping Computer)