BlackFlag Advisory
Threat Scan Enquire
Sydney, NSW  ·  Asia-Pacific

BlackFlag Advisory — Passive OSINT GRC assessments for Australian businesses. No systems accessed. Board-level reporting delivered within days.

View Assessment →
Home Intelligence Swiped Right. Got Breached.
Threat Intelligence & OSINT

Swiped Right.
Got Breached.

The Match Group hack exposed 10 million dating profiles across Tinder, Hinge and OkCupid. It started not with code — but with a phone call preceded by careful OSINT reconnaissance. Millions of Australians are in this dataset. Here is the full attack chain.

BlackFlag Advisory Threat Intelligence 26 May 2026 8 min read

In January 2026, millions of people using Tinder, Hinge, and OkCupid had something in common beyond looking for a match. Their data — names, email addresses, subscription details, mobile advertising IDs — was sitting in a 1.7 GB compressed file on a dark web forum, courtesy of a hacking group called ShinyHunters.

The breach was not caused by a sophisticated nation-state exploit or an unknown zero-day vulnerability. It started with a phone call. And that phone call only worked because the attacker had already done their homework using open-source intelligence tools — the same tools used in a passive OSINT assessment.

10M+
Records claimed across Tinder, Hinge, OkCupid and Match.com
1.7GB
Compressed files published on dark web forums
4
Dating platforms hit simultaneously via one SSO credential

Tinder, Hinge, OkCupid — one company, one attack surface

Most people do not realise that Tinder, Hinge, OkCupid, Match.com, Meetic, and Plenty of Fish are all owned by a single entity: Match Group. This corporate consolidation is efficient for operations — and catastrophic for breach impact. One compromised credential. Four platforms exposed simultaneously.

This is the supply chain risk hiding in plain sight inside consumer technology. When you use any one of these apps, your data sits in a shared infrastructure operated by a single parent company. A breach of that company is a breach of all of them.

Key insight The same logic applies to any Australian organisation using shared SaaS infrastructure, consolidated identity providers, or common back-end platforms across business units. One point of failure. Organisation-wide exposure.

Before the call — the OSINT reconnaissance chain

What most breach post-mortems skip over is the work that happens before the attack. In the Match Group case, the attacker almost certainly conducted a structured passive reconnaissance campaign — gathering intelligence entirely from open sources, without touching a single system. This is the phase a passive OSINT assessment is designed to replicate and expose.

The OSINT attack chain — how the reconnaissance unfolded
01

SSO provider identification. Match Group's use of Okta as their Single Sign-On platform is publicly discoverable. Okta login pages carry identifiable URL patterns (typically companyname.okta.com). Tools like Shodan and Censys index these pages automatically. Job listings routinely confirm the tech stack — "experience with Okta required" appears in hundreds of corporate postings. No systems touched. No laws broken.

02

Staff profiling via open sources. LinkedIn reveals who works in IT, helpdesk, and identity management by name, role, tenure, and reporting line. This tells an attacker exactly who to impersonate when calling, and exactly who to target as a recipient. Combined with company org charts and public conference speaker profiles, the internal structure becomes visible without a single query to internal systems.

03

Credential harvesting from prior breaches. Tools like HaveIBeenPwned, Dehashed, and dark web markets hold billions of previously leaked email and password combinations. A staff member's work email appearing in a prior breach gives an attacker a confirmed valid address and potentially a reused password — making the vishing call far more credible. "We've detected suspicious login attempts on your account" lands very differently when the attacker already knows which breaches you've been involved in.

04

The vishing call. Armed with the target's name, role, email, and SSO platform, the call is not cold — it is warm, informed, and highly credible. The attacker impersonated internal IT support. The employee surrendered Okta SSO credentials. One set of credentials unlocked four platforms and all associated internal tooling simultaneously.

05

Lateral movement and exfiltration. From the compromised SSO, attackers pivoted into internal dashboards, the mobile marketing analytics platform AppsFlyer, internal Slack channels, and cloud storage — without ever breaching a core production database. The exfiltrated data included user records, subscription details, advertising IDs, internal documents, and technical debugging logs across OkCupid and Hinge.

The critical point The attacker did not break in. They were handed the keys — because OSINT had already told them which door to knock on, which employee to call, and exactly what to say to be believed.

What dating app data actually reveals

Dating platforms hold a category of personal information that sits nowhere else. Users supply real names, photographs, precise locations, age, sexual orientation, relationship intentions, income signals, and in many cases workplace details — attributes they actively keep off LinkedIn and other professional profiles.

When this data leaks, the exposure is not just a password reset. It is the potential de-anonymisation of information people considered private. For Australians in sensitive professions — government, law enforcement, finance, healthcare, defence — the implications extend well beyond personal embarrassment.

OSINT exposure risk Mobile Advertising IDs (MAIDs) exposed in this breach can be cross-referenced with other leaked datasets to link a real device to a person’s movement patterns, app usage, and online behaviour across platforms — regardless of whether they used a pseudonym on the app itself. This is not hypothetical. It is standard OSINT tradecraft.

The Australian regulatory context

This breach lands at a moment when Australian privacy law has undergone its most significant transformation in decades. The cost of getting this wrong is no longer theoretical — it is litigated.

New statutory privacy tort (June 2025)
Australians can now sue directly for serious privacy invasions without going through the OAIC first. No regulator involvement required to commence proceedings.
Third-party liability confirmed
The OAIC ruled organisations are liable for breaches caused by their vendors and third-party service providers. Outsourcing the function does not outsource the legal risk.
30-day breach response mandate
Notifiable status must be assessed within 30 days. Failure to notify the OAIC and affected individuals promptly now attracts civil penalty proceedings in the Federal Court.
OAIC sector sweeps underway
In 2026 the regulator is conducting its first active compliance sweeps across high-risk data-collection businesses. Consumer-facing digital platforms are explicitly in scope.

The Optus and Medibank civil penalty proceedings — both ongoing in the Federal Court in 2026 — made clear the OAIC is no longer issuing warnings. It is litigating. Both companies are alleged to have failed to take reasonable steps to protect personal information over extended periods. Both are now defending actions that will shape how seriously Australian privacy law is enforced for a generation.

What this means for your organisation

You do not need to be Match Group to have Match Group’s problems. The same Okta SSO misconfigurations, the same third-party vendor blind spots, the same credential reuse by staff across personal and professional accounts — these exist in Australian businesses of every size.

The Match Group attacker conducted their OSINT reconnaissance before picking up a phone. They knew which identity provider to target, which staff member to call, and which credentials to ask for — before the attack began. The question for every Australian organisation is whether you have looked at yourself through the same lens first.

What a passive OSINT assessment surfaces before an attacker does

  • Which identity providers your organisation uses — and whether they are publicly discoverable via Shodan, Censys, or job postings
  • Staff email addresses appearing in prior breach databases, including the credentials and breach sources paired with them
  • Your third-party SaaS and integration footprint, including vendors that hold your data and their own breach history
  • Social media and professional profiles that reveal internal structure, roles, reporting lines, and staff tenure
  • Misconfigured cloud assets broadcasting sensitive information to open internet indexers
  • Dark web forum activity referencing your domain, staff identities, or systems
  • Public-facing infrastructure revealing technology stack, software versions, and known vulnerabilities
BlackFlag Advisory A passive OSINT GRC assessment maps your external exposure without accessing any of your systems. No agents installed. No credentials required. No disruption to operations. Delivered within days — with a risk register and board-level executive report your directors can act on immediately.
Get assessed

Know what attackers already know about you.

A passive OSINT assessment maps your exposed credentials, vendor footprint, and identity risk — without touching a single system. Board-level report delivered within days.

View Assessment →

Related intelligence

Credential exposure: has your organisation already been breached? The OSINT data trail every business leaves behind Third-party supply chain cyber risk in Australia Privacy Act reforms — what your business must do now The Canvas breach — what should have stopped it

Your organisation is already
broadcasting.

Credentials, vendor connections, staff identities, cloud misconfigurations — all visible to anyone who knows where to look. A BlackFlag passive OSINT assessment shows you exactly what that picture looks like before an attacker acts on it.

Request an Assessment →
What you receive

External threat exposure report  ·  Credential breach analysis across known databases  ·  Vendor and third-party risk mapping  ·  Identity provider visibility assessment  ·  Risk register  ·  Board-level executive summary. All conducted passively — no systems accessed, no credentials tested.