Match Group's portfolio includes Tinder, Hinge, Match, OkCupid and Plenty of Fish (mtch.com); leaksear.ch has indexed a 2026 Match Group leak containing 8,350,087 records, with the breach date listed as January 17, 2026 (leaksear.ch metadata). The indexed data spans user identifiers, contact details, location data, IP addresses, mobile attribution logs and a subset of Plenty of Fish password fields (leaksear.ch metadata), while public reporting said Match Group confirmed a security incident after ShinyHunters claimed a dating-app data theft (www.bleepingcomputer.com).
What happened
Public reporting in late January 2026 said ShinyHunters claimed more than 10 million records tied to Hinge, Match.com and OkCupid usage data from AppsFlyer, along with internal documents. Match Group confirmed it was investigating a recently identified security incident, said it terminated unauthorized access, and said at the time that it had no indication user login credentials, financial information or private communications were accessed (www.theregister.com, www.malwarebytes.com, www.bleepingcomputer.com).
BleepingComputer reported that the attacker was said to have compromised an Okta SSO account that provided access to Match Group's AppsFlyer marketing analytics instance, and also reported that Match Group disputed claims that Google Drive and Dropbox files were accessed. UpGuard separately summarized the alleged method as vishing against Okta SSO credentials and the AppsFlyer analytics platform (www.bleepingcomputer.com, www.upguard.com).
Google Cloud's Mandiant and Google Threat Intelligence Group reported a broader January 2026 expansion of ShinyHunters-branded SaaS data theft that used vishing and victim-branded credential harvesting to obtain SSO credentials and MFA codes, then target cloud SaaS applications for data exfiltration. That context aligns with public reporting that this incident was centered on social engineering and SaaS access rather than a confirmed dating-app software exploit (cloud.google.com).
What data was exposed
The searchable fields in leaksear.ch for this corpus are country, date of birth, email address, IP address, name, password, phone number and username (leaksear.ch metadata). Other indexed fields indicate a mix of AppsFlyer mobile-attribution events, Plenty of Fish user database exports, support-ticket data and internal corporate documents, including advertising IDs, AppsFlyer IDs, Android IDs, IDFA and IDFV identifiers, device model, OS and app version, carrier, user agent, city, postal code, gender, event timestamps, campaign and media-source fields, subscription-related timestamps, account status flags, support ticket IDs and request metadata (leaksear.ch metadata).
The metadata includes password and plain_password fields for a subset of POF user records (leaksear.ch metadata). That is broader than Match Group's January public statement, as reported at the time, that it had no indication user login credentials were accessed (www.bleepingcomputer.com, www.upguard.com).
Why this matters
For individuals, this combination can support targeted phishing or account-recovery attacks that reference dating-platform context, approximate location, device traits or subscription activity. The presence of passwords in part of the indexed POF data raises password-reuse risk, even if the affected password set is not described in public company statements (leaksear.ch metadata). For security teams, emails, phones, usernames, IPs and device identifiers provide pivots for exposure checks, alert triage and user notification decisions (leaksear.ch metadata). If you used Match Group services, use the exposure check on this page to see whether your data appears in the Match Group 2026 leak.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include country, date of birth, email, ip address, name, password, phone, and username.
Sources
- Match Group: Our Company
- BleepingComputer: Match Group breach exposes data from Hinge, Tinder, OkCupid, and Match
- The Register: ShinyHunters swipes right on 10M records in alleged dating app data grab
- Malwarebytes: Match, Hinge, OkCupid, and Panera Bread breached by ransomware group
- UpGuard: Match Group Suffers Alleged Breach According to Dark Web Reports
- 404 Media: Hackers Say They've Hacked Match Group, Maker of Hinge, OkCupid
- Google Cloud: Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft