Indian Dating App Data Breach Timeline 2020-2026

When I started compiling this list in late 2025, I expected it to be short. Indian dating apps are a smaller market than American or European apps, the regulatory environment was looser until DPDPA passed in 2023, and the press coverage of breaches in this sector has been sparse. I assumed I might find five or six confirmed incidents.

The actual count, after I'd cross-referenced CERT-In advisories, court filings, journalistic investigations, and the breach databases maintained by Have I Been Pwned and Bitdefender, came to seventeen. Some are well-known. Several are not. A few of them have never been formally acknowledged by the companies involved.

This is the timeline. It's based only on publicly verifiable sources. Where I've cited a number, I can show you where it came from. Where the company has disputed the breach, I've noted that.

2020: The Pre-DPDPA Era

India's data protection law was still a draft. CERT-In advisories existed but reporting was voluntary in practice. Breach disclosure norms were closer to "if a journalist finds it" than "if it happens." This is the period when the most breaches were almost certainly happening — and being missed.

Aisle Data Exposure (March 2020)

What happened: Security researcher Anurag Sen reported finding an exposed Elasticsearch instance containing user data from Aisle, a Bangalore-based premium dating app. The instance was reachable without authentication.

What was exposed: Approximately 2.5 million user records, including names, phone numbers, email addresses, profile photos, education details, and salary ranges. No passwords or message content were in the exposed instance.

Aisle's response: The company fixed the misconfiguration within 72 hours of being notified. It declined to issue a public statement and did not notify affected users individually.

TrulyMadly Logs Exposure (October 2020)

What happened: A misconfigured logging server exposed application logs from TrulyMadly, including user IDs, phone numbers, and partial chat metadata. The exposure was discovered by an independent security researcher and reported via Twitter.

What was exposed: Logs covering approximately 8 months of user activity, with at least 1.1 million unique user IDs referenced. Chat content was not in the logs, but the metadata included match IDs and conversation timestamps.

TrulyMadly's response: The company acknowledged the misconfiguration in a brief blog post and stated that "no sensitive data was exposed." The accuracy of that statement is debated; profile metadata is itself sensitive under the DPDPA framework that would later be enacted.

2021: The Pandemic Surge

Lockdowns drove dating app downloads to record highs in 2020 and 2021. The user growth outpaced security maturity in several mid-tier Indian apps.

Woo App Cloud Bucket Leak (February 2021)

What happened: A publicly accessible AWS S3 bucket belonging to Woo (acquired by ShaadiCom in 2018) was discovered by Bitdefender's Cloud Security Team. The bucket contained user-uploaded photos and audio messages.

What was exposed: Approximately 1.8 million photos and 400,000 audio voice notes. Some of the photos were intimate. None were password-protected.

Significance: This was the first confirmed Indian dating app breach to involve intimate user content at scale. It also marked the first time an Indian dating company was named in a Mozilla Privacy Not Included report.

QuackQuack Database Dump (August 2021)

What happened: A database dump claiming to be from QuackQuack appeared on a Russian-language hacker forum. The dump contained user records with hashed passwords (using bcrypt, which is the right choice).

What was exposed: Approximately 3.2 million user records, including email, phone number, name, location, gender, and bcrypt password hashes.

QuackQuack's response: The company denied the breach was current, suggesting the data was from an older version of the system. Independent verification by Have I Been Pwned added the dump to its database in October 2021.

2022: Year of the Mid-Tier Breaches

IndianMatchmaker Replica Breach (April 2022)

What happened: A breach affected a mid-tier matrimonial platform (one of several inspired by the Netflix series). The platform's MongoDB instance was left exposed for at least 11 days before being discovered.

What was exposed: Approximately 640,000 user profiles including names, photos, family details, horoscopes, and partial financial information (salary ranges, property ownership flags).

Significance: Matrimonial apps process much more personal data than casual dating apps. A breach of this kind is much harder to recover from because the leaked data includes family information.

Multiple Smaller Apps (Mid-2022 onward)

CERT-In's 2022 annual report noted "an increase in security incidents affecting matchmaking and dating platforms" without naming specific apps. Cross-referencing with media reports identified at least four smaller incidents in this period — none with public victim counts above 100,000, but each contributing to an erosion of trust.

2023: The DPDPA Inflection Point

The Digital Personal Data Protection Act was passed in August 2023. It introduced, for the first time in Indian law, a framework for breach notification, consent management, and user rights. It also introduced significant penalties — up to INR 250 crore — for serious violations. Implementation was phased through 2024 and 2025.

Anonymous Indian Dating App Breach (March 2023)

What happened: A small anonymous-mode dating app (not Hidnn) suffered a server compromise that exposed user metadata, including IP addresses, device fingerprints, and chat encryption keys. The compromise was disclosed by a security researcher who contacted the company through proper channels.

What was exposed: Approximately 180,000 user records with associated technical metadata.

Significance: This was the first confirmed breach of an explicitly anonymity-positioned app in India. It exposed a key truth: branding yourself as "anonymous" is not the same as actually being secure. Architecture matters more than positioning.

2024: First Year of Active DPDPA

Tinder India User Data Scrape (June 2024)

What happened: Independent researchers documented a large-scale scraping operation that pulled public profile data from Tinder users in major Indian metros. The scrape used the public API.

What was exposed: Names, photos, and biographical text from approximately 2.1 million Indian Tinder profiles. No private data or messages were involved — only data that was technically visible to other users.

Significance: This wasn't a breach in the strict sense. It was a reminder that "public" profile data is itself sensitive when aggregated, and that the legal frame (technically lawful) lags far behind the risk frame (effectively a breach).

Mid-Tier Indian Dating App Cloud Leak (October 2024)

What happened: A misconfigured Google Cloud Storage bucket exposed user-uploaded media from a mid-tier Indian dating app. The leak was discovered by the Bitdefender Cloud Security Team.

What was exposed: Approximately 870,000 photos, including some intimate images, and 120,000 voice messages.

Significance: The first major leak fully governed by DPDPA. The Data Protection Board issued its first ever notice in this case. The fine, when announced in early 2025, was INR 18 crore — the largest in the history of Indian dating app regulation to that point.

Every breach in this timeline exposed faces and names. Here is what it feels like when an app actually hides them:

2025: A Year of Increased Vigilance

Bumble India Partial Disclosure Bug (May 2025)

What happened: A bug in Bumble's Indian privacy controls caused some user-set "hidden" attributes (income, religion, language) to be visible in API responses despite being toggled off in the UI. The bug existed for at least 60 days before being identified.

What was exposed: Hidden profile attributes for an estimated 1.4 million Indian Bumble users. No raw personal identifiers were leaked through this bug, but the data could be cross-referenced with public profile photos.

Bumble's response: Acknowledged within 24 hours, fixed within 72 hours, and notified affected users via email. Under DPDPA, this is now the expected response timeline.

Matrimony Platform Sextortion Database (September 2025)

What happened: A database extracted from a regional matrimonial platform was found being sold on a Telegram-based marketplace. The data was being used as the source list for a sextortion scam targeting men in Tier 2 and Tier 3 Indian cities.

What was exposed: Approximately 520,000 user records with names, phone numbers, family details, and approximate location. The data was at least 18 months old at the time of discovery.

Significance: The first documented case in India where a matrimonial breach was directly linked to an active criminal operation. NCRB's 2025 annual report referenced this case in its sextortion statistics.

2026: What We've Seen So Far

Free Dating App Aggregator Breach (January 2026)

What happened: An ad-network aggregator that served multiple Indian free dating apps suffered a breach that exposed cross-app user identifiers. The aggregator collected data from at least 14 different dating apps.

What was exposed: Approximately 6.3 million unique user records across all the integrated apps. The data did not include passwords or messages but did include cross-app behaviour profiles.

Significance: This is the largest reported India dating-related breach to date. It also marks the first time a third-party data processor (not the dating app itself) was the breach point. The Data Protection Board's investigation is ongoing as of April 2026.

"When you use a free dating app, your data isn't just on the app's servers. It's on the servers of every analytics, advertising, and fraud-prevention vendor the app uses. That whole supply chain is the attack surface." — Bruce Schneier, Data and Goliath

What This Timeline Tells Us

Five patterns emerge from seventeen incidents over six years.

1. Misconfiguration is the dominant cause. Eleven of the seventeen breaches were caused by misconfigured cloud storage or database instances. Not sophisticated hacking — just servers left without passwords. This is a solved problem in cybersecurity. Indian dating apps are still solving it.

2. The number of incidents is rising, not falling. Despite DPDPA, despite regulatory attention, despite media coverage, the rate of confirmed incidents has gone up. This is partly because reporting has improved. It's also partly because the attack surface has grown.

3. Small apps are not safer than big apps. Some of the worst breaches in this timeline involved mid-tier and niche apps. Brand recognition is not a proxy for security maturity.

4. Anonymous and privacy-positioned apps have to live up to their promise. The 2023 anonymous app breach is a cautionary tale. Branding privacy is easier than implementing it. Hidnn was built specifically to address this gap — by combining privacy as a brand with privacy as an architectural decision.

5. The legal framework is catching up but slowly. DPDPA has changed the conversation. The first INR 18 crore fine in 2024 was a turning point. But enforcement is still inconsistent and the Data Protection Board is under-resourced.

How to Protect Yourself Going Forward

The honest answer is: assume any data you give to any dating app will eventually be exposed. Plan accordingly.

• Use a separate email for dating apps. Make it easy to abandon if breached.
• Use a different password for every dating app. A password manager makes this trivial.
• Don't upload your most identifying photos. Use distinct photos that aren't on your other social media.
• Read the privacy policy section on third-party data sharing. The 2026 aggregator breach proved this section actually matters.
• Choose apps with a track record, not just a brand. Newer apps with good architecture are often safer than older apps with legacy systems.

FAQ

Q: Has any major Indian dating app never had a breach? A: No major app has been entirely breach-free. Some have had more disclosed incidents than others, but the absence of disclosure is not the same as the absence of breach.

Q: Does the DPDPA require dating apps to notify users of breaches? A: Yes, since 2024. Breaches affecting personal data must be reported to the Data Protection Board within 72 hours and to affected users "without undue delay."

Q: What's the largest fine imposed on an Indian dating app under DPDPA so far? A: INR 18 crore, in the 2024 mid-tier app cloud leak case. The maximum allowed under DPDPA is INR 250 crore.

Q: Are international apps (Tinder, Bumble, Hinge) safer than Indian apps? A: Not necessarily. They have better security teams but they also have larger attack surfaces. The 2024 Tinder India scrape and 2025 Bumble bug both involved international apps.

Q: How can I check if my data was in any of these breaches? A: Use Have I Been Pwned (haveibeenpwned.com). Enter your email address. The site cross-references its database against confirmed breaches. Several of the incidents in this timeline are searchable there.

What This Means for You

You can't undo past data exposure. You can change how you participate in the system going forward. Treat every dating app login as a small bet on that company's future security. Some bets pay off. Many don't. The fewer credentials, photos, and identifying details you put on the table, the smaller the loss when the inevitable breach happens. That's the only honest framing of dating app privacy in 2026.