The Biggest Data Breaches in Dating Apps: Lessons under UK GDPR

Dating apps have transformed modern relationships, offering convenience and access to a vast user base. However, these platforms also handle vast amounts of sensitive personal data, making them attractive targets for cybercriminals. The exposure of user information in data breaches raises serious concerns under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and other applicable legal frameworks.

As Valentine’s Day approaches, it’s the perfect time to reflect on some of the biggest data breaches in dating apps in history. These incidents didn’t just expose user information; they revealed how easily our private lives can be compromised when proper data protection measures aren’t in place.

If you’re swiping right this season, here’s what you need to know about staying safe online and protecting your personal information under the UK General Data Protection Regulation (UK GDPR). Here are some of the biggest data breaches in dating apps.

Ashley Madison Breach (2015) – A Landmark Privacy Disaster

Ashley Madison, a dating website catering to individuals seeking extramarital affairs, suffered one of the most infamous dating app breaches in history. A hacker group, The Impact Team, infiltrated the platform and leaked personal data of approximately 37 million users, including email addresses, payment transactions, and highly sensitive profile details.

The breach led to devastating consequences, including blackmail attempts, job losses, divorces, and even reported suicides. The case demonstrated the catastrophic risks of failing to implement adequate security measures when handling special category data (e.g., sexual preferences), which under Article 9 of UK GDPR requires enhanced protection.

Adult FriendFinder Network Breach (2016) – The Largest Dating Data Exposure

In 2016, the Adult FriendFinder network, including multiple adult-oriented sites, suffered a massive breach affecting 412 million accounts. The compromised data included usernames, email addresses, and passwords—many of which were stored using weak encryption methods, allowing them to be easily decrypted.

Following the breach, much of the stolen data was found circulating on dark web forums. This exposed users to phishing, fraud, and reputational damage.

Coffee Meets Bagel Breach (2019) – A Valentine’s Day Wake-Up Call

On 14 February 2019, Coffee Meets Bagel disclosed a security breach exposing the personal data of approximately 6 million users. While financial information remained secure, stolen details included names, email addresses, and profile data.

The breach was part of a larger cyberattack affecting multiple online services. This demonstrated the growing risks associated with third-party data processing and supply chain vulnerabilities.

Grindr Privacy Concerns (2018 & 2021) – Data Sharing Without Consent

Grindr, a leading LGBTQ+ dating app, has faced repeated privacy scandals. In 2018, reports emerged that Grindr had shared user’s special categories of personal data. This included HIV status (health information) —with third-party analytics firms without explicit consent. Under UK GDPR, this constitutes unlawful processing of special category data.

In 2021, further reports revealed that Grindr’s security flaws allowed attackers to track users’ locations, even when users had disabled location-sharing features, endangering individuals in regions where LGBTQ+ identities face persecution.

Bumble & Badoo Biometric Data Lawsuit (2024) – Legal Fallout Over Facial Recognition

In 2024, Bumble Inc. (owner of Bumble & Badoo) reached a £32 million settlement over allegations that the company collected biometric data (facial recognition data from profile photos) without explicit user consent.

The lawsuit, filed under biometric privacy laws, accused the company of failing to inform users how their biometric data was being processed, violating transparency and fairness obligations under UK GDPR.

Some Important Tips (users’ perspective)

Only provide the minimum personal information needed. Avoid sharing sensitive details like your full name, home address, or financial info. Additionally, you always have the option to adjust app settings to control who can see your profile and what information is shared.

Another important thing is the creation and use of unique passwords for each app and enable two-factor authentication wherever possible.

Also, watch out for phishing attempts or suspicious messages. Never click on unfamiliar links or give out financial details!!!

If you’re no longer using a dating app, delete your account to minimise the risk of your data being exposed in future breaches. 

Final thoughts

Dating apps are fun and exciting, but they also come with serious data protection and privacy risks. As these platforms collect increasingly personal data, it’s crucial to stay informed and protect your digital footprint. This Valentine’s Day don’t just guard your heart—guard your data too. Choose apps that prioritise user privacy, read their privacy policies, and follow the safety tips above. Remember, love might be in the air, but so are cyber threats. Stay smart, stay safe, and happy swiping!