In late January 2026, the threat actor group ShinyHunters (operating as part of the “Scattered LAPSUS$ Hunters” collective) claimed responsibility for a significant data exfiltration targeting Match Group, the parent company of Hinge, OkCupid, and Match.com. The breach was executed via a sophisticated voice phishing (vishing) campaign that compromised an employee’s Okta Single Sign-On (SSO) credentials, subsequently granting the attackers access to internal dashboards and the mobile marketing platform AppsFlyer. While the group initially boasted of stealing over 10 million records, verified samples indicate the exposure of approximately 2 million unique advertising IDs (MAIDs) and a list of 85,000 email addresses. Additional leaked data included internal corporate documents, Hinge subscription transaction details, and technical debugging logs from OkCupid. Match Group has stated that core user passwords, full financial information, and private message histories do not appear to have been compromised, though the company is currently notifying affected individuals regarding the risk of secondary phishing attacks.

Source: DataBreach.com