What Happened
On January 27, 2026, the threat group ShinyHunters published a 1.7 GB compressed archive on BreachForums containing approximately 10 million records allegedly stolen from Match Group, the parent company of Tinder, Hinge, OkCupid, Match.com, Meetic, and Plenty of Fish.
How They Got In
Evidence points to AppsFlyer, a mobile marketing and analytics platform used by Match Group, as the source of the data exposure. ShinyHunters appears to have exploited access through the third-party integration rather than directly breaching Match Group’s core infrastructure.
Exposed Data
The leaked archive reportedly contains user advertising IDs linked to profiles, internal daily operational reports, corporate receipts and invoices, and user profile data whose full scope remains under investigation.
Match Group stated there was no indication that login credentials, payment data, or private messages were compromised.
Timeline
The initial unauthorized access occurred at an unknown date. ShinyHunters posted the data on BreachForums on January 27, 2026. Match Group confirmed its investigation the following day, and by January 29, multiple security firms had confirmed the data’s authenticity.
Platforms Potentially Affected
Match Group operates several major dating services that may be impacted. Tinder is the largest dating app globally. Hinge markets itself as “designed to be deleted.” OkCupid uses questionnaire-based matching, while Match.com stands as one of the oldest online dating services. The company also runs Plenty of Fish as a free platform and Meetic serving European users.
Company Response
Match Group issued a statement confirming the investigation and asserting that it “acted quickly to terminate the unauthorized access.” The company is working with third-party forensic investigators and has notified law enforcement.
About ShinyHunters
ShinyHunters is one of the most prolific data breach groups currently active. They were responsible for major breaches in 2024 including Ticketmaster (560 million records), AT&T (call and text metadata of nearly all customers), and Santander Bank (30 million records). The group primarily monetizes data through dark web sales and extortion.
What Organizations Should Do
Organizations using third-party analytics providers should audit API access scopes and data sharing agreements. End users of affected dating platforms should enable two-factor authentication, monitor for phishing attempts leveraging leaked data, and consider rotating passwords.