In January 2026, the hacking group ShinyHunters claimed to have stolen more than 10 million records from Match Group -- the company behind some of the world's most popular dating apps, including Tinder, Hinge, and OkCupid. While Match Group stated that only a "limited amount of user data" was involved and that core login credentials and financial information appear safe, the nature of dating app data makes even a limited exposure uniquely dangerous. If you use or have ever used a Match Group dating platform, here is what happened, what was exposed, and the steps you should take to protect yourself.
What Happened: The Match Group Breach
ShinyHunters -- the same group responsible for multiple high-profile breaches in 2025 and 2026 -- gained access to Match Group's systems through a vishing attack targeting employees' Okta single sign-on (SSO) credentials. Vishing, or voice phishing, involves calling employees and manipulating them into revealing login information over the phone. Once inside, the attackers also exploited access to AppsFlyer, a mobile analytics platform used by Match Group to track app performance and user acquisition.
ShinyHunters claimed to have exfiltrated over 10 million records spanning multiple Match Group platforms. The group subsequently attempted to extort the company. Match Group acknowledged the incident and confirmed that some user data was involved, but emphasized that core login credentials, passwords, private messages, and payment card details do not appear to have been compromised.
Dating App Data Is Uniquely Sensitive
Even when a dating app breach does not include passwords or financial data, the exposed information can be deeply personal. Dating app usage can reveal sexual orientation, relationship status, dating preferences, location patterns, and personal habits. In the wrong hands, this data can be used for blackmail, stalking, targeted harassment, discrimination, or social engineering attacks that exploit intimate personal details. Take this breach seriously, even if the exposed data seems "limited" on the surface.
What Data Was Exposed
Based on ShinyHunters' claims and Match Group's limited disclosures, the following types of data were potentially compromised:
- User IDs tied to Tinder, Hinge, OkCupid, and other Match Group platforms
- Hinge subscription data -- including transaction IDs and payment amounts
- IP addresses -- which can reveal approximate geographic locations
- Internal employee email addresses
- Corporate contracts and internal documents
- AppsFlyer analytics data -- which may include device identifiers, app usage patterns, and attribution data
Match Group has stated that the following were not exposed:
- Passwords and login credentials
- Private messages and conversations
- Payment card numbers or bank account details
- Photos uploaded to profiles
However, even the confirmed exposed data is concerning. User IDs linked to specific platforms reveal which dating apps someone uses. Subscription transaction data reveals spending habits on dating services. IP addresses can narrow down a user's physical location. When combined, these data points create a profile that can be exploited in targeted attacks.
Which Apps Were Affected
Match Group operates a portfolio of dating platforms. While the breach targeted Match Group's corporate systems rather than individual app databases, users of any of the following services should be aware of their potential exposure:
- Tinder
- Hinge
- OkCupid
- Match.com
- Plenty of Fish
- The League
- Other Match Group properties
Hinge subscribers appear to be most directly affected based on the exposed subscription and transaction data.
Why Dating App Breaches Are Especially Dangerous
Dating app data is different from the information exposed in a typical retail or telecom breach. The risks extend beyond financial fraud:
- Blackmail and extortion: Criminals can threaten to reveal someone's dating app usage to their employer, family, or community -- particularly dangerous for people in conservative environments or those whose dating preferences they wish to keep private.
- Stalking and harassment: IP addresses and location data can be used to track individuals. Combined with user IDs, an attacker could potentially identify and locate specific users.
- Highly targeted phishing: Knowing that someone uses Tinder or Hinge allows criminals to craft phishing emails that reference the specific app, making the messages far more convincing.
- Social engineering: Details about someone's dating habits, subscription status, and location can be used to impersonate them or manipulate them in subsequent scams.
- Discrimination: In some contexts, exposure of dating app usage -- particularly apps associated with specific communities -- can lead to workplace discrimination, social stigma, or worse.
Immediate Steps to Take Right Now
1. Change Your Passwords on Match Group Apps
Even though Match Group says passwords were not compromised, changing your password is a low-effort, high-value precaution. Use a strong, unique password that you do not use on any other service. If you use the same email and password combination on other platforms, change those passwords as well.
2. Enable Two-Factor Authentication
Enable two-factor authentication on your dating app accounts and, critically, on the email account associated with them. Your email is often the key to resetting passwords on other services, making it the most important account to secure. Use an authenticator app rather than SMS-based codes whenever possible.
3. Review Your Dating App Privacy Settings
Take this opportunity to audit the privacy settings on every dating app you use:
- Limit location sharing: Use approximate location rather than precise GPS if the app offers the option.
- Review connected accounts: Disconnect Instagram, Spotify, or other social accounts linked to your dating profile if they are not essential.
- Control profile visibility: Some apps allow you to hide your profile from non-matches or limit who can see you.
- Audit personal details: Remove your last name, workplace, or other identifying information from your profile that is not necessary for dating.
- Check data sharing settings: Review what data the app shares with third-party analytics and advertising partners.
4. Monitor for Suspicious Communications
Watch for phishing emails or messages that reference your dating app usage. Criminals may send emails claiming to be from Tinder, Hinge, or Match.com asking you to "verify your account" or "update your payment information." These are almost always scams. Access your accounts only by opening the official app or typing the URL directly into your browser -- never through links in emails or text messages.
5. Check Have I Been Pwned
Visit haveibeenpwned.com and enter the email address associated with your dating accounts. The site tracks major breaches and will tell you if your email appeared in the Match Group breach or any other known compromises.
Consider Whether You Still Need Old Accounts
If you have dating app accounts you no longer use, this is a good time to delete them entirely rather than leaving them dormant. Inactive accounts still contain your personal data and remain vulnerable in future breaches. Log in, download any data you want to keep, and then delete the account through the app's settings. Simply deleting the app from your phone does not delete your account or your data from the company's servers.
Long-Term Protection Measures
Use a Dedicated Email for Dating Apps
Consider creating a separate email address exclusively for dating apps. This prevents your primary email -- the one tied to banking, work, and other critical services -- from being exposed in a dating app breach. It also makes it harder for someone to connect your dating profile to your real-world identity.
Limit the Personal Information You Share
Be intentional about what you put on your dating profile. Your first name and a few photos are usually sufficient. Avoid including your last name, employer, school, or any details that could be used to find you on other platforms or in real life.
Use a VPN
Since IP addresses were exposed in this breach, using a VPN when accessing dating apps prevents your real IP address -- and by extension your approximate location -- from being logged. This adds a meaningful layer of privacy protection.
Review Your Data Broker Exposure
If criminals have your user ID, IP address, or email from this breach, they can cross-reference it with data broker profiles to build a complete picture of your identity. Data brokers sell names, home addresses, phone numbers, family relationships, and more to anyone who pays. Removing your information from these sites makes it significantly harder to connect your dating app activity to your real-world identity.
How PrivacyOn Helps Protect You After the Match Group Breach
The greatest risk after a dating app breach is that exposed data gets combined with the personal information freely available on data broker websites. A user ID from Hinge means little on its own -- but linked to your name, home address, phone number, and workplace from a data broker profile, it becomes a powerful tool for stalking, harassment, or blackmail.
PrivacyOn removes your personal information from over 100 data broker sites, breaking the connection between your online activity and your real-world identity. With 24/7 continuous monitoring, PrivacyOn ensures your data stays off these platforms even after brokers attempt to re-list it. Dark web monitoring alerts you if your information surfaces in underground marketplaces or hacking forums. Family plans cover up to 5 people, so you can protect your entire household. Plans start at just $8.33 per month.
After a breach involving dating app data, privacy protection is not just about preventing financial fraud -- it is about keeping the most personal aspects of your life from being weaponized against you. PrivacyOn helps ensure that your publicly available data cannot be used to connect the dots.