Are you using Tinder, Hinge, Meetic or other dating apps? Your data may have just fallen into the wrong hands

The privacy is the most valuable currency in the era of digital relationships, but this implicit trust between users and the platform has recently been shaken by a massive cyberattack.

The well-known criminal group ShinyHunters has claimed a large data-exfiltration operation that hit the heart of online dating: the company known as Match Group.

The company, which operates giants in the sector such as Tinder, Hinge, Match.com, OkCupid and Meetic, now faces a crisis that potentially involves ten million records.

However, the cybercriminal offensive did not stop at the romance sphere, extending into the food service and automotive sectors, painting a worrying picture of security.

Bread, love and cars: hackers steal users’ personal data

The claims appearing on forums frequented by cybercrime researchers were clear: ShinyHunters claims to have stolen millions of user data records related to users of Hinge, Match and OkCupid, as well as hundreds of internal documents.

Match Group has confirmed the security incident, immediately launching investigations with the support of external forensic experts. Although the company emphasized that there is no evidence of compromise regarding login credentials (passwords), financial data or private conversations (the chats), the situation remains delicate.

The stolen material would include personally identifiable information (PII) and tracking data of users. Even if the most intimate chats seem to have remained safe, simply associating a real name, an email address or geolocation data with a dating profile constitutes a risk.

The very nature of these platforms makes every breach a potentially traumatic event for members, who may fear repercussions on their private, work-related or family life if their presence on such apps were publicly exposed.

From Panera Bread to the car market

Parallel to the attack against the dating giant, ShinyHunters also struck Panera Bread, the well-known American bakery-café chain. In this instance, the criminals claim to have compromised as many as 14 million records containing personal information.

In this case as well, the company reassured customers that passwords and banking data were not touched, but names, email addresses, physical addresses and phone numbers ended up in the pool of stolen data.

The victim list also expands to include platforms such as CarMax and Edmunds, sites relied upon for buying and reviewing cars, as well as Crunchbase and SoundCloud.

This ‘spillover’ approach underscores that the group’s objective is not a specific sector, but the massive accumulation of personal and contact data, a valuable commodity to fuel future fraud campaigns.

Social engineering and voice identity theft

What makes this wave of attacks particularly insidious is the methodology used. We are not facing the classic exploitation of an unknown software bug, but a manipulation of the human element. ShinyHunters and the affiliated groups are using advanced “vishing” (voice phishing) techniques, often enhanced by artificial intelligence to clone voices.

The criminals contact the target company’s employees pretending to be IT support staff and, through deception, manage to obtain access codes or induce the victim to enter their credentials on fake login portals.

The primary targets are the Single Sign-On (SSO) platforms such as Okta, Microsoft or Google, which manage centralized access to corporate services. Once access to an SSO account is obtained, attackers have the keys to enter multiple internal systems, as happened with Match Group, where compromising one account opened the doors to marketing analytics tools and cloud archives.

How to defend yourself?

Facing threats that go beyond standard security barriers, protecting the end user requires a new awareness. The first line of defense remains password management: regularly changing them and using complex, unique passwords for each service, relying on a password manager, make stealing old credentials futile.

However, in an era where even confirmation SMS messages can be intercepted or bypassed through social engineering, experts advise moving to phishing-resistant two-factor authentication systems, such as FIDO2 hardware security keys or passkeys.

It is also essential to maintain a high level of skepticism towards any urgent communication, whether it is phone or email, that requires immediate action on your account.

Always verify the sender’s identity through official channels and actively monitor your digital identity; these are necessary steps to mitigate risks in an increasingly hostile digital ecosystem.