Match Group, the parent company of Tinder, Hinge, OkCupid, Match.com, and Plenty of Fish, confirmed a cybersecurity incident after the hacking collective ShinyHunters published a 1.7 GB archive claiming 10 million records from the company’s platforms. The breach resulted from a voice phishing (vishing) attack that compromised an employee’s Okta SSO credentials.
Incident overview
| Attribute | Details |
|---|
| Victim | Match Group (Tinder, Hinge, OkCupid, Match.com) |
| Threat actor | ShinyHunters (UNC6661) |
| Records claimed | 10 million |
| Data volume | 1.7 GB compressed |
| Attack vector | Vishing targeting Okta SSO |
| Phishing domain | matchinternal[.]com |
| Access gained | AppsFlyer, cloud storage |
Timeline
| Date | Event |
|---|
| Early-mid January 2026 | Vishing campaign targeting Match Group employees |
| January 2026 | Employee Okta credentials compromised |
| January 27, 2026 | ShinyHunters posts data to BreachForums |
| January 28, 2026 | Match Group confirms incident and investigation |
| January 29, 2026 | Public disclosure |
Attack method
ShinyHunters used a sophisticated social engineering technique targeting single sign-on (SSO) accounts:
Vishing attack chain
| Phase | Action |
|---|
| 1. Phone call | Attackers posing as IT staff call employees |
| 2. Pretext | Claim company is updating MFA settings |
| 3. Credential harvesting | Direct victims to matchinternal[.]com (lookalike domain) |
| 4. MFA capture | Capture SSO credentials and MFA codes in real-time |
| 5. Device registration | Register attacker device for MFA |
| 6. Data access | Use compromised Okta account to access connected services |
This technique—combining phone-based social engineering with real-time credential capture—bypasses traditional MFA protections by capturing codes as they’re entered.
Why this bypasses MFA
| Factor | Impact |
|---|
| Real-time capture | MFA code valid during phone call |
| Device registration | Attacker registers own MFA device |
| Trust exploitation | Victim believes IT staff is legitimate |
| SSO access | Single credential unlocks multiple services |
What was stolen
Confirmed exposed data
| Data Type | Platforms affected |
|---|
| User advertising IDs | Hinge, Match.com, OkCupid |
| Transaction IDs | Premium feature payments |
| Subscription amounts | Hinge subscriptions |
| IP addresses | All platforms |
| Geographic locations | All platforms |
| Full names | All platforms |
Hinge-specific exposure
| Data Type | Risk level |
|---|
| Match records between users | High—reveals relationships |
| Dating profile bios and text | High—personal content |
| User preferences | Medium—personal information |
Disputed claims
| ShinyHunters claim | Match Group response |
|---|
| Google Drive access | ”Not accessed based on investigation” |
| Dropbox files | ”Not accessed based on investigation” |
| Internal documents | Under investigation |
NOT exposed (per Match Group)
| Data Type | Status |
|---|
| Login credentials | Not compromised |
| Financial information | Not compromised |
| Private messages | Not compromised |
| Tinder data | Not mentioned in leak |
| Plenty of Fish data | Not mentioned in leak |
AppsFlyer connection
ShinyHunters’ leak site pointed to AppsFlyer, a marketing analytics provider, as the data source.
AppsFlyer’s denial
“The incident did not originate from AppsFlyer, nor did it involve a data breach, security incident, or compromise of AppsFlyer’s systems.”
The data appears to have been accessed through Match Group’s AppsFlyer instance after the SSO compromise, not from AppsFlyer directly.
Part of a larger campaign
Match Group was one of several organizations hit in ShinyHunters’ January 2026 vishing spree:
| Target | Records | Status |
|---|
| Match Group | 10M claimed | Confirmed |
| Panera Bread | 5.1M accounts | Confirmed |
| SoundCloud | Unknown | Under investigation |
| Crunchbase | Unknown | Under investigation |
All attacks used the same technique: impersonating IT staff to harvest SSO credentials and MFA codes.
Campaign infrastructure
| Indicator | Pattern |
|---|
| Domain format | <companyname>sso.com or <companyname>internal.com |
| Registrar | NICENIC |
| Pretext | MFA update announcement |
| Target | Okta, Microsoft, Google SSO |
| Organizations targeted | 100+ high-value companies |
Privacy implications
Dating platform data carries unique risks compared to typical breaches:
Dating-specific concerns
| Data type | Risk |
|---|
| Profile content | Reveals personal details, preferences, lifestyle |
| Match history | Exposes relationship connections |
| IP addresses | Enables geolocation, especially concerning for anonymous users |
| Advertising IDs | Cross-platform tracking, correlation with other datasets |
| Subscription data | Financial patterns, premium feature usage |
Potential exploitation
| Scenario | Risk |
|---|
| Deanonymization | Correlate advertising IDs with other data sources |
| Targeted phishing | Use profile content for social engineering |
| Relationship exposure | Match records reveal who connected with whom |
| Blackmail risk | Dating activity could be used for extortion |
| Impersonation | Leaked profiles enable fake account creation |
For Hinge users specifically, leaked match records and profile text could enable identification of real-world individuals—or provide material for targeted social engineering.
About ShinyHunters
ShinyHunters (also tracked as UNC6661) is one of the most prolific data breach groups currently active:
Recent ShinyHunters breaches
| Year | Target | Records |
|---|
| 2024 | Ticketmaster | 560 million |
| 2024 | AT&T (call metadata) | 110+ million |
| 2024 | Santander Bank | 30 million |
| 2026 | Match Group | 10 million claimed |
Evolution in tactics
| Previous approach | Current approach |
|---|
| Database exploitation | SSO social engineering |
| Technical vulnerabilities | Human trust exploitation |
| Direct system access | Third-party service abuse |
The group’s pivot to vishing attacks targeting SSO systems represents an evolution from their earlier database exploitation techniques.
Match Group’s response
“Match Group takes the safety and security of our users seriously and acted quickly to terminate the unauthorized access.”
| Action | Status |
|---|
| Access terminated | Complete |
| Investigation | Ongoing |
| User notification | In progress |
| Law enforcement | Engaged |
Recommendations
For Match Group users
| Priority | Action |
|---|
| High | Enable two-factor authentication if not already active |
| High | Use unique passwords for dating apps |
| High | Review profile content—consider removing identifying details |
| Medium | Watch for targeted phishing using leaked profile data |
| Medium | Monitor for impersonation—leaked profiles could create fake accounts |
| Ongoing | Be cautious of “Match Group security” communications |
For organizations
The Match Group breach demonstrates that MFA alone doesn’t stop determined attackers:
| Control | Purpose |
|---|
| Phishing-resistant MFA | Hardware keys, passkeys (not SMS/TOTP) |
| Employee vishing training | Recognize IT impersonation tactics |
| SSO anomaly monitoring | New device registrations, unusual access patterns |
| Domain monitoring | Detect lookalike phishing domains early |
| Conditional access policies | Restrict SSO to managed devices |
For security teams
| Priority | Action |
|---|
| Critical | Implement phishing-resistant MFA for SSO |
| High | Train employees on vishing identification |
| High | Monitor for SSO device registration anomalies |
| High | Implement domain monitoring for brand impersonation |
| Medium | Review third-party service access patterns |
Context
The Match Group breach highlights the unique sensitivity of dating platform data. Unlike typical corporate breaches, dating information reveals intimate personal details, relationship patterns, and lifestyle choices that users expected to remain private.
The vishing attack vector demonstrates that even organizations with MFA can be compromised through social engineering. When attackers call employees, claim to be IT staff, and capture credentials in real-time, traditional MFA provides no protection.
For users of dating platforms, the breach serves as a reminder that digital dating creates permanent records that can be exposed. Consider what information you share in profiles and whether that data could be used against you if leaked.
