Dating App Data Breaches: A Timeline of the Worst Leaks

In April 2025, Bitdefender researchers reported that five dating apps had leaked over 1.5 million private and explicit images from cloud storage buckets left without password protection. The affected users -- between 800,000 and 900,000 people -- had no idea their most intimate photos were publicly accessible to anyone with the right URL.

This was not an anomaly. It was the latest entry in a long, escalating pattern of dating app data breaches that has exposed hundreds of millions of users over the past decade. Mozilla's 2024 Privacy Not Included report found that 52% of dating apps reviewed had experienced a data breach, leak, or hack within the preceding three years. A separate study reported that 75% of dating apps fail basic security standards, with no platform achieving an A-grade rating.

The data at stake is uniquely sensitive: sexual orientation, intimate photos, HIV status, private messages about deeply personal topics, real-time GPS coordinates. When this data leaks, the consequences are not just financial -- they are reputational, emotional, and in documented cases, life-threatening.

This timeline covers the most significant dating app data breaches in history, what was exposed, who was affected, and what each incident reveals about the state of digital privacy in dating.

2012-2015: The Early Warning Signs

eHarmony Password Leak (June 2012)

What happened: Approximately 1.5 million hashed passwords were leaked and posted on a hacker forum. The passwords used unsalted MD5 hashing, a method considered insecure even in 2012.

What was exposed: Usernames and password hashes. While the breach did not directly expose profile data, the weak hashing meant many passwords could be cracked, giving attackers access to full accounts.

Significance: One of the first dating platform breaches to demonstrate that these companies were not applying even basic security standards to their infrastructure.

Cupid Media Breach (January 2013)

What happened: A network of niche dating sites operated by Cupid Media was breached, exposing 42 million user records including names, email addresses, and unencrypted passwords.

What was exposed: Full names, email addresses, dates of birth, and passwords stored in plain text -- meaning no encryption whatsoever.

Significance: Storing passwords in plain text was indefensible even in 2013. The breach demonstrated that some dating platforms treated security as an afterthought.

Ashley Madison Breach (July-August 2015)

What happened: A hacking group called The Impact Team stole and released over 60 gigabytes of data from Ashley Madison, a platform marketed for extramarital affairs. The group demanded the site shut down; when it did not, they published everything.

What was exposed: Full names, email addresses, physical addresses, credit card transaction records, sexual preferences, and internal company communications of approximately 37 million users.

The human cost: This breach is widely considered the most devastating dating app data breach in history:

• Toronto police reported that at least two suicides were linked to the data release
• Hundreds of divorces and relationship breakdowns followed
• A $578 million class-action lawsuit was filed against the company
• The CEO, Noel Biderman, resigned
• Users faced blackmail attempts, job losses, and public humiliation
• Military and government employees were identified using their official email addresses

Troy Hunt, cybersecurity expert and creator of Have I Been Pwned, observed at the time: "The Ashley Madison breach was different because of the nature of the data. This was not credit card numbers -- it was people's most private desires, exposed without any way to undo the damage."

2016-2019: Scale Escalates

Adult FriendFinder Network Breach (November 2016)

What happened: The largest dating-related breach in history affected the entire FriendFinder Networks portfolio, including Adult FriendFinder, Cams.com, and Penthouse.com.

What was exposed: 412 million accounts, including email addresses, passwords (many stored as SHA-1 without salting), IP addresses, and browser information. The breach also exposed accounts that users had previously "deleted," confirming that deletion did not actually erase data from the company's servers.

Significance: The exposure of "deleted" accounts was a landmark revelation, establishing that users' expectations about data deletion were fundamentally misaligned with industry practice.

Coffee Meets Bagel Breach (February 2019)

What happened: An unauthorized party gained access to user data, affecting approximately 6 million accounts.

What was exposed: Names and email addresses of users who had registered before May 2018. While the company stated no passwords or financial data were compromised, the breach confirmed that the platform stored personally identifiable information without adequate access controls.

2020-2023: Sophistication and Regulatory Response

Zoosk Data Theft (May 2020)

What happened: The ShinyHunters hacker group, known for targeting multiple platforms simultaneously, stole data from Zoosk as part of a larger campaign.

What was exposed: Up to 24 million user records, including a remarkably detailed dataset: income levels, birthdates, weight, political views, and sexual orientation. This breach demonstrated the extraordinary depth of sensitive personal data that dating apps collect and store.

Grindr Data Sharing and Fines (2018-2024)

What happened: This was not a traditional hack but a systemic data-sharing practice. Grindr shared user data with advertising partners, including highly sensitive information.

What was exposed and shared:

• GPS location precise enough to locate users within feet
• HIV status and last test date
• IP addresses, age, and gender
• Advertising IDs enabling cross-platform tracking

Regulatory consequences:

• Norwegian Data Protection Authority fined Grindr $6.5 million (upheld by Oslo District Court in July 2024)
• Over 11,000 claimants signed up for a UK class-action lawsuit as of June 2025
• A Catholic publication used commercially available Grindr location data purchased from a broker to identify a senior U.S. Catholic Church official, forcing his resignation

Significance: The Grindr case demonstrated that dating app data breaches are not limited to external hackers. Deliberate data sharing by the company itself can be equally devastating.

Dr. Lukasz Olejnik, independent privacy researcher and former advisor to the European Data Protection Supervisor, noted: "The Grindr case proved that data sharing and data breaches exist on a spectrum. When a company voluntarily sends sensitive user data to third parties without meaningful consent, the practical impact on users can be identical to a hack."

MeetMindful Breach (January 2021)

What happened: A hacker posted data from the dating app MeetMindful on a publicly accessible hacking forum.

What was exposed: Records of 2.3 million users, including full names, email addresses, location data, dating preferences, IP addresses, Facebook user IDs, and bcrypt-hashed passwords.

Breaches feel abstract until they happen to someone you know:

2024-2026: The Crisis Intensifies

Bumble Biometric Settlement (2024)

What happened: Bumble Inc. reached a $32 million settlement over allegations that it collected biometric facial recognition data (facial geometry from photo verification) without obtaining explicit user consent, violating transparency obligations.

Significance: This case established that photo verification features -- marketed as safety tools -- create biometric data liabilities that persist beyond the verification process.

Five Dating Apps Image Leak (April 2025)

What happened: Cybersecurity researchers at Bitdefender discovered that five niche dating apps -- BDSM People, Chica, Pink, Brish, and Translove -- had stored user images in cloud storage buckets with no password protection.

What was exposed: Over 1.5 million private and explicit images belonging to approximately 800,000-900,000 users. The images were publicly accessible via direct URL.

Significance: The affected apps targeted LGBTQ+ and kink communities, meaning the exposed images carried heightened risks of discrimination, harassment, and blackmail for users in regions where their identities or preferences are criminalized.

Tea App Breach (July 2025)

What happened: An unauthorized database exposed data from Tea, a dating app marketed as the "#1 women's dating app."

What was exposed:

• 72,000 user images, including 13,000 government ID photos from verification processes
• 59,000 images from user posts and private messages
• 1.1 million private messages covering deeply personal topics including divorce, abortion, infidelity, and sexual assault
• Data from users who registered before February 2024 was still stored on outdated servers, indicating poor data lifecycle management

The EFF included the Tea breach in its "Breachies 2025" report, highlighting it as one of the year's worst, weirdest, and most impactful data breaches.

OkCupid/Match Group FTC Action (March 2026)

What happened: The Federal Trade Commission filed a complaint alleging that OkCupid and parent company Match Group had secretly shared nearly 3 million user photos with Clarifai, a facial recognition company, in 2014. OkCupid's founders were financial investors in Clarifai.

What was exposed: Nearly 3 million user photos, along with demographic and location data. No formal data-sharing agreement existed. No restrictions were placed on how the data could be used. No payment was collected. Users were never notified.

Concealment efforts: The FTC alleged that Match and OkCupid spent more than a decade trying to hide the transfer, including attempting to obstruct the FTC's investigation and publicly denying involvement with Clarifai when journalists reported on it.

Settlement: The proposed agreement prohibits Match from misrepresenting its data practices but includes no monetary fines.

Patterns and Lessons

A decade of dating app data breaches reveals consistent patterns:

1. The data collected is disproportionate to the service provided. Dating apps routinely collect and store data far beyond what matching requires -- biometrics, income, political views, health status -- creating unnecessarily rich targets.

2. "Deleted" data is rarely deleted. The Adult FriendFinder breach exposed accounts users thought they had removed. The Tea breach exposed data from users who registered years before the incident. The OkCupid photos were transferred in 2014 and persisted through 2026.

3. Vulnerable communities face disproportionate harm. Breaches at Grindr, the five LGBTQ+/kink apps, and Tea demonstrate that marginalized users face heightened consequences, including outing, discrimination, and physical danger.

4. Companies prioritize concealment over transparency. OkCupid spent a decade hiding its data transfer. Ashley Madison knew about security vulnerabilities before the breach. Multiple platforms fail to notify affected users proactively.

5. Fines are not deterrents. Grindr's $6.5 million fine represents a fraction of its revenue. The OkCupid settlement includes no monetary penalty at all. Until consequences match the harm, incentive structures remain unchanged.

How to Protect Yourself

No user can prevent a breach at a company that holds their data. But you can significantly reduce your exposure:

• Minimize the data you provide: Use only what is required. Skip optional fields for income, employer, political views, and ethnicity.
• Use unique, strong passwords and enable two-factor authentication wherever available.
• Avoid photo verification unless you trust the platform's data handling -- biometric data is uniquely difficult to change if compromised.
• Choose platforms built on privacy-first principles. Apps like Hidnn that practice data minimization by design have less to lose in a breach because they collect less in the first place.
• Monitor your exposure: Check Have I Been Pwned (haveibeenpwned.com) periodically. Submit data access requests to apps you use.
• Exercise your rights: Under India's DPDPA, GDPR, or applicable state laws, you can request deletion and demand disclosure of third-party data sharing.

Frequently Asked Questions

How do I check if my dating app data has been leaked in a breach?

Visit haveibeenpwned.com and enter the email address you used on dating apps. The service checks your email against known breach databases. Also search for "[app name] data breach" in news to see if platforms you have used were compromised.

Can I sue a dating app if my data is leaked?

Yes, depending on your jurisdiction. The Grindr UK lawsuit has over 11,000 claimants. Under GDPR, you can claim compensation for material and non-material damages. India's DPDPA enables complaints to the Data Protection Board, which can impose fines up to Rs 250 crore on violating companies.

Are smaller, niche dating apps more or less secure than major platforms?

The evidence suggests niche apps are often less secure. The five-app image leak in April 2025 targeted smaller platforms with inadequate infrastructure. However, major platforms like OkCupid, Grindr, and Bumble have also demonstrated serious failures. Size does not guarantee security -- architecture and investment in privacy do.

What makes dating app breaches more dangerous than other data breaches?

Dating app data is uniquely personal: sexual orientation, intimate photos, HIV status, desire for extramarital connections, private conversations about deeply sensitive topics. Unlike a credit card number that can be changed, this data cannot be un-exposed. The Ashley Madison breach directly contributed to suicides, divorces, and blackmail campaigns -- consequences that go far beyond financial loss.

Has any dating app ever achieved a perfect security rating?

No. According to security assessments, no dating app has achieved an A rating for security practices. Mozilla's 2024 review gave only 3 out of 25 apps a passing privacy grade. This is an industry-wide structural problem, not a matter of isolated bad actors.

Key Takeaways

• Dating app data breaches have exposed over 500 million accounts in the past decade, with consequences ranging from financial fraud to suicide
• 52% of major dating apps have experienced a breach in the past three years (Mozilla, 2024)
• "Deleted" data regularly surfaces in breaches -- accounts users thought were removed years ago continue to be exposed
• Vulnerable communities face disproportionate harm -- LGBTQ+ users, kink communities, and women are targeted with heightened consequences
• No dating app has achieved a top security rating -- privacy-first architecture remains the exception, not the norm
• Your best protection is data minimization -- the less a platform knows about you, the less it can expose

---

Every breach on this timeline was preventable. Every one was preceded by choices -- to collect too much, store too long, share too freely, and secure too little. The dating industry will not change until users demand that privacy is a prerequisite, not a premium feature.