In late January 2026, the extortion group ShinyHunters published a 1.7 GB compressed archive on its leak site, claiming the theft of around 10 million user records from Match Group’s dating apps: Hinge, Tinder, OkCupid and Match. The post, dated 27–28 January 2026, also included internal company documents.
What happened and who is affected
This is not a software vulnerability (no CVE was assigned), but an unauthorized access incident carried out through social engineering. According to the available information, the attackers ran a vishing (voice phishing) campaign that compromised an employee’s Okta single sign-on (SSO) credentials. To do so they used a fraudulent domain, matchinternal.com, mimicking the corporate internal infrastructure.
With those credentials, the attackers reached internal dashboards and the AppsFlyer marketing analytics platform, as well as cloud storage. The incident is part of a broader ShinyHunters campaign targeting SSO environments that, according to the group, affected more than one hundred organizations, including Okta, Microsoft and Google accounts.
The affected parties are users of Match Group’s apps whose data resided in the accessible systems. Match Group stated that the breach involved “a limited amount of user data,” consisting mainly of tracking information: phone numbers, email addresses, user identifiers and IP addresses. The company stressed that login credentials, financial information and private communications were not accessed, and disputed the attackers’ claim that Google Drive and Dropbox files had been compromised.
Severity
The severity is high. Although no passwords or banking data leaked, the combination of phone, email, user ID and IP, tied to dating apps, is highly sensitive material: it enables targeted phishing, extortion and doxing campaigns against specific individuals. The use of vishing against SSO shows the weak link was not the technology but the human factor combined with authentication that did not resist impersonation.
Mitigation and response
Match Group said it acted “quickly to terminate the unauthorized access” and that it was already notifying affected individuals “as appropriate,” with the support of external security experts.
For organizations looking to prevent similar incidents, the expert recommendations are clear:
- Adopt phishing-resistant authentication such as FIDO2 security keys or passkeys, instead of SMS or app OTP, which are vulnerable to vishing.
- Enforce strict app authorization policies and network access controls to limit the blast radius of a compromised account.
- Train staff against vishing campaigns and always verify any credential request through an independent channel.
For users of these apps, it is wise to be wary of emails or calls referencing the incident, avoid password reuse, and enable the strongest two-factor authentication available.