New York, January 30, 2026, 14:16 (EST)
- Bumble and Match Group confirmed no passwords or private messages were compromised in recent incidents, whereas Panera reported the stolen data was limited to contact information
- ShinyHunters leaked stolen files, alleging even bigger data breaches linked to Bumble and Match’s dating platforms
- Security experts are raising alarms about an expanding voice-phishing campaign aimed at hijacking corporate single sign-on credentials
Bumble and Match Group were targeted by cyberattacks this week, along with Panera Bread and Crunchbase, Bloomberg News reported, as cited by Reuters. Panera confirmed the breach, stating in an email to Reuters that “The data involved is contact information.” (Reuters)
This cluster is significant because it fits right into a familiar extortion pattern: infiltrate systems, steal data, then slowly leak it online to demand ransom. Security experts have connected these latest leaks to ShinyHunters, a group notorious for releasing data samples and ramping up pressure if targets resist paying up.
It highlights how even limited access can have wide-reaching effects. Once a contractor or employee account is compromised, attackers can gain entry to internal tools. Plus, the identity systems that grant access to one service typically link to several others.
Bumble told Bloomberg it reached out to law enforcement after a contractor’s account fell victim to a phishing attack, resulting in what it described as brief unauthorized access to a small section of its network. Match confirmed to Bloomberg that it experienced an incident involving a limited set of user data and said it is notifying the customers affected, The Record reported.
ShinyHunters has leaked what it says are thousands of internal Bumble documents, some labeled restricted or confidential, and claimed to have accessed 10 million records linked to Match. Researchers at Cybernews who examined samples found customer personal info and internal data; one sample related to Hinge contained about 100 matched user profiles, The Record reported. (The Record from Recorded Future)
Match has confirmed a security breach but pushed back against major claims made by the attackers. “Match Group … acted quickly to terminate the unauthorized access,” a spokesperson told CSO, emphasizing there was no sign that logins, financial data, or private messages were compromised. (CSO Online)
Investigators and researchers are keeping an eye on the technique itself, not just who falls victim. Lately, there’s been a surge in voice phishing, or “vishing,” where attackers call targets and coax them into handing over access—sometimes even steering them through live login processes.
Rafe Pilling, director of threat intelligence at Sophos’s Counter Threat Unit, explained that attackers are setting up “target-specific domains” designed to impersonate single sign-on services and identity providers like Okta, according to a report from TechCentral. (Techcentral)
Mandiant, Google’s incident response team, warned that the campaign is still underway and targets corporate identity systems managing cloud app access. “Mandiant is tracking a new, ongoing ShinyHunters-branded campaign using evolved vishing techniques to compromise SSO credentials,” said Charles Carmakal, CTO of Mandiant Consulting. (KBI Media)
Trust is the real battleground here. Bumble and Match, the company behind Tinder, Hinge, and OkCupid, hold sensitive profile data. If that data leaks—even in small amounts—it can trigger user drop-off, lawsuits, and scrutiny from regulators.
The situation remains unclear. Companies are digging into what exactly was compromised, while criminals often inflate the size of their haul to push higher ransom demands. Even fragments of internal documents can spark further scams targeting employees and users—especially when attackers combine leaked info with phone-based social engineering.
