Match Group Confirms Data Theft After ShinyHunters Leak Claim
Match Group confirmed it is investigating a “recently identified security incident” after ShinyHunters claimed to have stolen and leaked data tied to its dating platforms, including Hinge, Match.com, and OkCupid. The actor advertised a dump of roughly 1.7 GB of compressed files and claimed 10+ million records plus internal documents; Match Group said it moved quickly to terminate unauthorized access and is working with external incident response experts while notifying affected individuals as appropriate.
Reporting indicates the intrusion likely stemmed from compromised identity and SaaS access rather than direct compromise of the dating apps themselves. The alleged source of exposure was AppsFlyer (a marketing analytics platform), and one account of the incident attributes initial access to a compromised Okta SSO account that enabled access to AppsFlyer and cloud storage (including Google Drive and Dropbox). Match Group stated there is currently no indication that user login credentials, financial information, or private communications were accessed, while third-party review of samples reportedly suggested the dataset includes personal customer data, some employee details, and internal corporate material.
Timeline
Jan 30, 2026
Bumble discloses separate phishing-linked contractor account incident
By January 30, 2026, Bumble disclosed a separate cybersecurity incident after ShinyHunters claimed to have stolen data from the company. Bumble said a contractor account was phished, causing brief unauthorized access to a small part of its network, but stated its member database, user accounts, messages, profiles, and app content were not impacted.
Jan 29, 2026
Cybernews analysis identifies exposed Hinge, OkCupid, and internal Match data
Researchers reviewing samples tied to the leak reported that the stolen data included personal customer information, employee details, internal corporate material, and Hinge subscription and match-related records such as transaction IDs, payment amounts, IP addresses, and location data. Additional files reportedly included OkCupid debugging data, employee emails, and documents linked to other Match properties.
Jan 29, 2026
Match Group confirms security incident and begins customer notifications
By January 29, 2026, Match Group said it was investigating a recently identified security incident, had terminated the unauthorized access, and was working with external cybersecurity experts. The company said only a limited amount of user data appeared affected, with no indication that login credentials, financial information, or private communications were accessed, and it began notifying impacted individuals as appropriate.
Jan 28, 2026
ShinyHunters posts Match Group data-theft claim on leak site
On January 28, 2026, ShinyHunters claimed on its dark web leak site that it had stolen more than 10 million records tied to Match Group services including Hinge, Match.com, and OkCupid. The listing alleged the exposed data originated through AppsFlyer and included internal documents alongside user-related records.
Jan 15, 2026
Unauthorized access to Match Group may have begun via phished Okta SSO account
Reports indicate the intrusion affecting Match Group may have started as early as mid-January 2026, when ShinyHunters allegedly used a vishing campaign to compromise an Okta single sign-on account. The access reportedly enabled entry to AppsFlyer and cloud storage services including Google Drive and Dropbox.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Organizations
Affected Products
Sources
1 more from sources like register security
Related Stories
ShinyHunters SaaS Data Theft via Vishing-Enabled SSO Credential and MFA Capture
**ShinyHunters** has been linked to a wave of SaaS-focused data-theft and extortion activity enabled by targeted **voice phishing (vishing)** and company-branded phishing portals designed to capture **SSO credentials** and **MFA codes**. Mandiant reported that attackers impersonate IT/helpdesk staff, direct employees to realistic login pages, and use real-time interaction (including guiding victims to approve push prompts or provide one-time codes) to authenticate and then **enroll attacker-controlled devices into MFA**. After account takeover, the actor pivots through **Okta, Microsoft Entra, or Google** SSO dashboards to rapidly access downstream SaaS services (e.g., *Salesforce*, *Microsoft 365/SharePoint*, *DocuSign*, *Slack*, *Atlassian*, *Dropbox*, *Google Drive*), turning a single compromised identity into broad cloud data access. Separately, **Bumble** reported a phishing-driven compromise of a **contractor account**, after which ShinyHunters allegedly claimed theft of ~**30 GB** of data—reported as largely internal files sourced from **Google Drive** and **Slack**—while Bumble stated there was no evidence of exposure of user chats or profiles. Reporting also tied ShinyHunters to other claimed or alleged thefts affecting consumer and enterprise brands (including Match Group properties such as *Hinge*, *Match*, and *OkCupid*), consistent with the broader pattern of leveraging compromised identities and SaaS access paths for data exfiltration and extortion leverage.
Yesterday
ShinyHunters Claims Okta Vishing Campaign and Leaks Data from Crunchbase, Betterment, and SoundCloud
The **ShinyHunters** extortion group claimed responsibility for a recent **Okta SSO voice-phishing (vishing)** campaign used to steal authentication codes and access victim environments. The group told reporters and researchers it used vishing to obtain Okta single-sign-on codes to compromise **Crunchbase** and **Betterment**, and then published alleged stolen data after the organizations reportedly rejected extortion demands; ShinyHunters also said additional victims exist and that more disclosures are forthcoming. ShinyHunters published alleged datasets for **Crunchbase, Betterment, and SoundCloud** on a newly launched leak site, asserting the dumps contain **PII** and large record counts (reported as **>20 million** for Betterment, **~2 million** for Crunchbase, and **~30+ million** for SoundCloud). **SoundCloud** stated it is aware of data published online allegedly taken from its organization and said its security team, supported by third-party experts, is reviewing the claim and the posted data; ShinyHunters asserted SoundCloud access was *not* obtained via SoundCloud’s Okta credentials. SoundCloud had previously confirmed a breach affecting roughly **20% of users** (about **28 million** based on public user counts), while Crunchbase and Betterment had not publicly responded at the time of reporting.
1 months ago
Figure Data Breach Linked to Employee Social Engineering and ShinyHunters Leak
**Figure Technology Solutions**, a blockchain-based lending/fintech firm, confirmed a **data breach** after an employee was **socially engineered**, enabling attackers to access and exfiltrate a **limited number of files**. The company said it is communicating with partners and impacted individuals, has begun sending notifications, and is offering **free credit monitoring** to recipients of breach notices; it has not publicly disclosed the total number of affected individuals or when the incident was detected. The cybercrime group **ShinyHunters** claimed responsibility and alleged Figure refused to pay a ransom, publishing about **2.5GB** of purportedly stolen data on its leak site. Journalists who reviewed samples reported the exposed data included **names, home addresses, dates of birth, and phone numbers**, increasing risk of identity fraud and follow-on phishing. ShinyHunters also told reporters the intrusion was part of a broader campaign affecting organizations including **Harvard University** and **UPenn**, and referenced victims that rely on **Okta** for single sign-on.
1 months ago