In late January, the ShinyHunters cyber-extortion group announced two high-profile leaks, one targeting Match Group, the company behind Match, Hinge, OkCupid, and other dating apps, and one aimed at Bumble. In the Match Group incident, the gang claimed access to AppsFlyer and cloud storage led them to capture millions of records of usage data and hundreds of internal documents, while Bumble now faces a parallel leak of internal files.
ShinyHunters promotes these breaches on their leak site like a product launch, bundling purported user information and corporate records into downloadable archives. For most users, the technical details can be abstract, yet real consequences are straightforward: sensitive data about how and where people date is being used in extortion work now.
From Cyber Alliances to Solo Campaigns
Over the past several years, ShinyHunters has shifted from being a data broker to becoming one of the main players in a broader partnership that includes groups like LAPSUS$ and Scattered Spider, known collectively as Scattered LAPSUS$ Hunters. That alliance combined ShinyHunters’ data siphoning operations with multi-factor authentication bypass techniques used by LAPSUS$ and Scattered Spider’s social-engineering-heavy intrusions.
Today the ShinyHunters brand runs a dedicated ransomware and data-theft project, including its own leak site and style of extortion notes and public shaming. Even if the collaborative structures change behind the scenes, the playbook is the same: steal cloud data at scale, then coerce the targets into sending silent payments by threatening public exposure.
Vishing for SSO: Why Strong Auth Doesn’t Cut It
The dating-app leaks are part of a broader ShinyHunters campaign that combines vishing (voice phishing) with highly targeted phishing pages to steal single sign-on (SSO) credentials and skirt multi-factor authentication (MFA). In these operations, attackers disguised as IT call employees and get them to visit fake company-branded login portals, often couched in the language of an urgent MFA reset or security scan.
While the victim is on the phone, the attacker sends stolen usernames, passwords, and one-time codes in real-time into the legitimate SSO dashboard, often even registering their own device for MFA to maintain persistent access. Once inside, they pivot through Okta, Microsoft Entra, or Google SSO to whatever connected SaaS programs that an account can reach, including marketing analytics platforms like AppsFlyer and cloud applications such as Google Drive and Dropbox.
What We See In Our Own Data
Direct vishing is only one way to expose your credentials in the infrastructure of infostealer and dark web data. Infostealer malware continues to stealthily capture login records from consumer and enterprise machines, compiling browser-embedded passwords, cookies, and session tokens into logs that emerge in underground markets.
The logs above provide a snapshot of our findings, including large volumes of records associated with dating platforms like Match, Hinge, Bumble, Tinder, and OkCupid that illustrate how often users reuse or store credentials for these services. In addition to email-and-password pairs, these logs can contain autofill data, device fingerprints, and legitimate authentication cookies that enable actors to hijack sessions without having to solve MFA. Combined with SSO-centric vishing attacks, the result is a multi-faceted threat landscape where human trust, endpoint compromise, and SaaS sprawl all intersect.
What This Means For Users
The instinctive response to any data breach is to hold the company responsible, as it is primarily responsible for the data it collects. But attacks like ShinyHunters dating-app breaches have demonstrated that even the most effective advanced security systems can crumble when attackers go after the human element. e.g., employees who answer a phone call or people clicking a false login link.
For those users of dating apps and other sensitive services, a few disciplined practices can make the difference between a temporary inconvenience and long-term harm:
- Don’t send out your credentials or MFA codes over the phone, chat, or email, even when they are requested by a trusted source. Actual support staff will never ask for your password or a one-time code.
- Verify domains before signing in, particularly whenever you’ve arrived at the page via email, SMS, or a call; subtle lookalike domains such as custom “internal” portals are available for use in these campaigns.
- Use a unique password for every account and implement MFA wherever you can so one stolen password doesn’t impact the rest of your digital life.
On Valentine’s Day, most people are concerned about buying the right chocolate. In today’s threat landscape the more serious risk is losing your digital identity to the wrong person.
Previous post