What Happened
In January 2026, approximately 10 million records from Match Group platforms including Hinge, Match.com, and OkCupid were reportedly exposed. The data allegedly includes user IDs, IP addresses, subscription details, employee emails, and corporate contracts.
Some reports have linked the attack to ShinyHunters, with AppsFlyer (a marketing analytics platform) cited as the alleged entry point. The mix of consumer and corporate data suggests the attacker may have had broad access across Match Group's environment.
Timeline
- Late January 2026 — ShinyHunters compromise Okta SSO account via vishing using phishing domain 'matchinternal.com'
- January 28, 2026 — ShinyHunters claim to publish 1.7GB of data from Match Group platforms
- Late January 2026 — Match Group confirms incident and engages external cybersecurity experts
- Late January 2026 — AppsFlyer denies that their own systems were breached
Threat Actor Profile
ShinyHunters conducted this attack as part of a coordinated campaign in early 2026 targeting SSO credentials across multiple organisations via voice phishing.
The group used a custom phishing domain 'matchinternal.com' to impersonate Match Group's internal IT support and trick employees into providing Okta credentials and MFA codes.
Impact and Risk Assessment
For Individuals
Dating profile data is inherently sensitive. Exposure of user profiles, bios, and subscription details from platforms like Tinder and Hinge can enable harassment, blackmail, and discrimination.
IP addresses and authentication tokens may allow further account compromise if not promptly rotated.
The combination of personal preferences, relationship status, and location data creates a comprehensive profile that could be exploited for targeted social engineering.
For Organisations
Match Group faces reputational damage across its portfolio of dating brands, as user trust is foundational to the dating platform business model.
Exposed employee email lists and internal documents create ongoing spear-phishing risk for Match Group staff.
Partner contracts and corporate materials may reveal commercial arrangements and strategic plans.
Regulatory Context
Dating platform data falls under GDPR's special categories of personal data in the EU, as it can reveal sexual orientation and intimate preferences.
Multiple jurisdictions have specific protections for data that could reveal sexual orientation, making this breach particularly sensitive from a regulatory perspective.
What Should You Do?
For Individuals
- If you use Tinder, Hinge, Match.com, OkCupid, or Meetic, review your profile for sensitive information and consider updating your password.
- Be cautious of unsolicited messages that reference your dating profile or personal preferences, as these may be social engineering attempts.
For Security Professionals
- Audit third-party marketing analytics integrations (such as AppsFlyer) and review what data they can access. Marketing technology vendors often have deeper access than expected.
- Implement phishing-resistant MFA and consider domain-based controls that can detect lookalike phishing domains targeting your organisation.
Learnings and Recommendations
The alleged use of a marketing analytics platform as the attack vector highlights supply chain risk through marketing technology vendors, which often have deep access to user data and are overlooked in security assessments.
Dating platform data is inherently sensitive. Even without explicit profile content, the combination of user IDs, IP addresses, and subscription details can identify individuals and create risks including blackmail and harassment.