Full Report
Bumble and Match said they each recently responded to network intrusions. The group ShinyHunters claimed to have stolen data from both.
Analysis Summary
# Incident Report: Compromise of Dating App Giants by ShinyHunters
## Executive Summary
Dating service providers Bumble and Match Group experienced separate but related network intrusions, claimed by the financially motivated threat actor ShinyHunters. Access was gained through the compromise of a contractor's account (Bumble) via phishing, and possibly through other means at Match, leading to the exfiltration of internal documentation and some user/employee data connected to Match's subsidiaries (e.g., Hinge, OkCupid). Both companies confirmed security incidents, though they emphasized that sensitive user data like logins and private communications were not compromised according to their assessments.
## Incident Details
- Discovery Date: Not explicitly stated, but claims/reports emerged around late January 2026.
- Incident Date: Occurred shortly before public disclosure/claims in late January 2026.
- Affected Organization: Bumble, Match Group (including subsidiaries Tinder, Hinge, OkCupid).
- Sector: Technology / Social Networking / Dating Services.
- Geography: Not explicitly stated, but likely global operations for these organizations.
## Timeline of Events
### Initial Access
- Date/Time: Prior to public reporting in late January 2026.
- Vector: **Phishing attack** targeting a contractor's account (Bumble).
- Details: This led to "brief unauthorized access to a small portion of ['Bumble's] network."
### Lateral Movement
- Details: For Bumble, the unauthorized access was brief. For Match, the scope mentioned "limited amount of user data," implying successful internal access to resources likely hosting corporate documents or profile data samples, potentially via cloud services (Google Drive, Slack).
### Data Exfiltration/Impact
- **Bumble:** Leak included thousands of internal documents marked "restricted or confidential," sourced primarily from Google Drive and Slack.
- **Match:** ShinyHunters claimed 10 million records. Researcher review of samples linked to Hinge included personal customer info, some employee details, internal corporate data, matched user profile information (names, bios), logs of profile changes, and duplicated/test data.
### Detection & Response
- **Detection:** Not explicitly stated, but responses began after ShinyHunters made public claims.
- **Response (Bumble):** Contacted law enforcement. Confirmed access was terminated and stated member database, private messages, and profiles were unaffected.
- **Response (Match):** Confirmed the incident, stated limited user data was involved, and notified affected customers. Stated login credentials, financial info, or private communications were *not* accessed.
## Attack Methodology
- Initial Access: **Phishing** (Confirmed for Bumble contractor account). Possible cloud service compromise for data source access (Google Drive/Slack).
- Persistence: Not detailed, but access was maintained long enough to stage data exfiltration.
- Privilege Escalation: Not detailed.
- Defense Evasion: Not detailed, though the use of existing contractor credentials implies bypassing standard perimeter controls.
- Credential Access: Implied via phishing on the contractor account.
- Discovery: Internal reconnaissance occurred to locate confidential documents and user data samples.
- Lateral Movement: Not detailed, but internal cloud services (Drive/Slack) were accessed.
- Collection: Gathering of confidential documents and structured user data records.
- Exfiltration: Data posted to ShinyHunters' dark web leak site.
- Impact: Disclosure of internal corporate data and public staging of partial user records.
## Impact Assessment
- Financial: Not specified.
- Data Breach:
- **Bumble:** Thousands of internal, confidential documents leaked.
- **Match:** Claimed 10 million records. Samples included PII (names, bios), employee details, and internal corporate data related to Hinge/OkCupid.
- Operational: No mention of service downtime, but internal data exposure occurred.
- Reputational: Damage due to association with the notorious ShinyHunters group and public confirmation of data exposure involving high-profile dating brands.
## Indicators of Compromise
* **Network Indicators (Defanged):** *None provided in the source material.*
* **File Indicators:** Internal documents marked "restricted or confidential"; Data samples containing user profile information and logs.
* **Behavioral Indicators:** Suspicious activity stemming from a compromised contractor endpoint leading to access across cloud collaboration platforms (Google Drive, Slack).
## Response Actions
- **Containment (Bumble):** The unauthorized access was successfully terminated.
- **Eradication/Remediation:** Not explicitly detailed, but implied review and securing of the compromised contractor access path.
- **Recovery:** Ongoing notification processes were initiated for affected customers (Match). Law enforcement was engaged (Bumble).
## Lessons Learned
- The security posture of third-party contractors or vendor access points remains a critical vulnerability high-value targets.
- Over-reliance on cloud collaboration tools (Drive, Slack) for storing highly sensitive or confidential internal documentation creates a centralized point of failure for data exfiltration if access controls are breached.
- The threat actor group ShinyHunters is actively targeting major technology and consumer-facing firms, often monetizing stolen data via public leaks.
## Recommendations
- Implement stronger Multi-Factor Authentication requirements, especially for contractor accounts with broad network or cloud service access.
- Audit and rigorously segment access to cloud storage repositories (Google Drive, etc.) based on the principle of least privilege.
- Enhance monitoring for unusual data download or exfiltration patterns emanating from collaboration tools, particularly those accessing files marked "confidential."
- Conduct phishing simulation training specifically targeting employees and relevant third-party vendors.