Corporate Misconduct Accountability Project
Bumble Inc. Data Breach January 2026
Bumble Data Breach Exposed 30GB of User Data; Company Chose Negligence Over Security
Dating app ignored industry security standards, failed to implement basic protections, and left millions of users vulnerable to identity theft and fraud.
TL;DR
Bumble, a major dating app based in Austin, Texas, failed to implement basic cybersecurity protections that would have prevented a massive data breach in January 2026. Hackers from the group ShinyHunters used a simple phishing attack to infiltrate Bumble’s networks and steal over 30 gigabytes of highly sensitive user data, including full names, dates of birth, home and cell phone numbers, Social Security numbers, banking information, and dating history for millions of users. The company had promised users their data would be kept safe with “reasonable and adequate security measures,” but instead maintained systems so poorly secured that a preventable phishing attack succeeded. Users now face a lifetime of identity theft risk, with stolen data being sold on the dark web for $40 to $200 per person. This breach could have been stopped through well-known, basic protections that Bumble deliberately chose not to implement.
This negligence was not an accident; it was a choice. Bumble prioritized growth and profit over the safety of millions of people.
30GB
User data stolen in single breach
Millions
Users affected with PII exposed
$200
Price per identity on dark web
Preventable
Breach caused by known, avoidable failure
Core Allegations: What Bumble Did
Massive Data Exposure Through Preventable Attack
What they exposed · 4 allegations
| 01 | ShinyHunters hackers accessed and stole over 30 gigabytes of data from Bumble’s servers in January 2026 through a simple phishing attack; the breach included full names, dates of birth, addresses, home and cell phone numbers, Social Security numbers, account numbers, chat history, and dating history. | high |
| 02 | Bumble required users to provide highly sensitive personally identifiable information (PII) as a condition of using the dating service; the company collected banking information, sexual orientation, names, addresses, and other private data required for account creation. | high |
| 03 | Hackers posted a sample of the stolen data to the dark web, demonstrating they have reviewed, possess, and intend to misuse the information by either selling it to other criminals or committing fraud themselves. | high |
| 04 | The leaked data includes everything needed to commit identity theft against each affected user; criminals can use Social Security numbers alone to file fraudulent tax returns, obtain government benefits, or commit immigration fraud in the victim’s name. | high |
Negligent Security: Company Ignored Industry Standards
How they failed · 6 allegations
| 01 | Bumble’s networks fell victim to a phishing attack, indicating the company failed to implement basic, widely available cybersecurity protections; phishing attacks are easy to prevent through two-factor authentication and employee cybersecurity training. | high |
| 02 | Industry experts document that most data breaches could have been prevented through proper planning, design, and implementation of appropriate security solutions; Bumble’s breach falls into this preventable category. | high |
| 03 | Bumble failed to implement encryption of user PII; data was stored in an unencrypted state, making it immediately valuable to hackers once they accessed the servers. | high |
| 04 | The company failed to implement adequate employee cybersecurity training; this is a standard security measure that would have likely prevented the phishing attack that led to the breach. | medium |
| 05 | Bumble did not implement processes to quickly detect breaches or intrusions; hackers were able to steal 30 gigabytes of data without the company knowing immediately. | high |
| 06 | Despite knowing about well-publicized data breaches in its industry, Bumble took no steps to upgrade its security posture or implement the protections that competing companies use. | medium |
Deceptive Promises: Company Lied About Security
What they promised vs. what they delivered · 3 allegations
| 01 | Bumble’s public Privacy Policy promised users: “Here at Bumble, we pride ourselves on taking all appropriate and reasonable security measures to help protect your information against loss, misuse, and unauthorized access or sharing; protect the confidentiality of your personal information, such as by using secured servers with firewalls.” These promises were false. | high |
| 02 | Users entered agreements with Bumble under the reasonable belief that the company would reasonably and adequately protect their PII; they would not have agreed to provide Social Security numbers, banking information, and addresses had they known the company’s security was inadequate. | high |
| 03 | Bumble knowingly failed to disclose that its systems did not have adequate security; this non-disclosure prevented users from making informed decisions about whether to entrust their most sensitive personal information to the company. | high |
Lifetime Identity Theft Risk: Real Harm to Real People
What users now face · 4 allegations
| 01 | Stolen Social Security numbers and dates of birth can be used by identity thieves to commit government fraud, including filing fraudulent tax returns to obtain refunds, obtaining driver’s licenses in victims’ names with another person’s photo, or filing for government benefits under the victim’s name. | high |
| 02 | The data remains on the dark web where criminals buy and sell stolen identity information; there is a documented cyber black market where personal information sells for $40 to $200 per person, and bank details sell for $50 to $200. | high |
| 03 | Stolen data from previous breaches (like Equifax 2017) was documented being used by identity thieves years later; fraud resulting from the Bumble breach may not occur for months or years, creating a lifetime of risk for affected users. | high |
| 04 | Users affected by the breach now face decades of financial and personal harm; they must constantly monitor bank accounts, credit reports, and government benefits, and remain vigilant against fraud for the rest of their lives. | high |
Timeline of Events
Direct Quotes from Legal Document
QUOTE 1
Company’s false promise to users
Deceptive promises
“Here at Bumble, we pride ourselves on taking all appropriate and reasonable security measures to help protect your information against loss, misuse, and unauthorized access or sharing; protect the confidentiality of your personal information, such as by using secured servers with firewalls.”
This public promise was demonstrably false. The company’s networks lacked basic protections and fell victim to a preventable phishing attack.
QUOTE 2
Scale of data breach
Massive data exposure
“ShinyHunters accessed, exfiltrated and acquired over 30 gigabytes of files containing PII.”
This single breach exposed millions of users’ most sensitive personal information, including full names, dates of birth, addresses, phone numbers, and Social Security numbers.
QUOTE 3
Preventability of breach
Negligent security
“Despite being common, phishing attacks are easily preventable through known prophylactic measures such as implementing organizational-wide two factor authentication or adequate employee cybersecurity training.”
This attack was not sophisticated; it was prevented by well-known, basic protections that Bumble chose not to implement despite the company’s size and resources.
QUOTE 4
Value of stolen identity information on dark web
Identity theft risk
“Personal information can be sold at a price ranging from $40 to $200, and bank details have a price range of $50 to $200.”
Bumble’s stolen data is not sitting unused; it is actively being bought and sold by criminals who will use it to commit fraud and identity theft against each user.
QUOTE 5
Delayed discovery of fraud from stolen data
Lifetime harm
“Law enforcement officials told us that in some cases, stolen data may be held for up to a year or more before being used to commit identity theft. Further, once stolen data have been sold or posted on the Web, fraudulent use of that information may continue for years.”
Users affected by this breach will face an ongoing, unpredictable threat of identity theft for years to come. Fraud may not occur immediately, leaving victims unable to predict when or how they will be harmed.
QUOTE 6
Data breaches are preventable
Negligent security
“In almost all cases, the data breaches that occurred could have been prevented by proper planning and the correct design and implementation of appropriate security solutions. Most of the reported data breaches are a result of lax security and the failure to create or enforce appropriate security policies, rules and procedures.”
Bumble’s breach is exactly the kind that industry experts agree was preventable. The company’s failure was not due to a novel attack; it was due to negligence and unwillingness to invest in basic security infrastructure.
Commentary and Key Questions
Why is this breach so damaging to users?
▾
Bumble collected the most sensitive information possible from its users: full names, dates of birth, home and cell phone numbers, Social Security numbers, banking information, and dating history. This is exactly the data a criminal needs to commit identity theft, open fraudulent accounts, file false tax returns, obtain government benefits, or commit immigration fraud. A Social Security number alone, when combined with a date of birth and address, gives criminals everything needed to impersonate someone. Users now face a lifetime of monitoring and vigilance against fraud.
How did this breach happen?
▾
Bumble fell victim to a phishing attack, a basic cybersecurity threat that has been well-known and preventable for decades. Phishing involves sending fake emails or messages designed to trick employees into revealing passwords or account access information. Once a hacker has employee credentials, they can access company networks. Bumble could have prevented this attack by implementing two-factor authentication (which requires a second form of verification beyond passwords) or conducting basic cybersecurity training for employees. The company did neither. This is not a novel attack; it is a completely standard, well-prevented technique that targets companies with poor security practices.
What did Bumble promise users about data security?
▾
Bumble’s public Privacy Policy stated that the company prides itself “on taking all appropriate and reasonable security measures” to protect user information and that it uses “secured servers with firewalls.” These promises were false. The company’s networks were so poorly secured that they fell victim to a preventable phishing attack. Bumble knowingly misrepresented its security practices to users, who provided extremely sensitive information specifically because they believed the company’s false promises. Users would not have given their Social Security numbers and banking information to Bumble had they known the company’s actual security practices were inadequate.
Is this breach really preventable, or do these things just happen?
▾
Industry experts are clear: in almost all cases, data breaches could have been prevented through proper planning, design, and implementation of appropriate security solutions. Data security experts document that most breaches result from “lax security and the failure to create or enforce appropriate security policies, rules and procedures.” Bumble’s breach falls into this preventable category. The company is a large, sophisticated operation based in Austin, Texas, with the financial resources to implement basic cybersecurity protections. That it chose not to is negligent. This was not a sophisticated attack; it was a standard phishing attack that would have been stopped by measures as basic as two-factor authentication or employee training.
How long will users be at risk of identity theft?
▾
For the rest of their lives. Stolen identity credentials remain valuable to criminals indefinitely. Law enforcement has documented cases where stolen data was held for a year or more before being used to commit fraud. Once data is posted on the dark web and sold to multiple criminals, fraudulent use may continue for years or decades. A stolen Social Security number is useful to a criminal not just today, but for years. Affected users will need to monitor their credit, bank accounts, government benefits, and tax records constantly. They may face fraud at any point in the future and have no way to know when it might occur.
What happens to the stolen data after the breach?
▾
The stolen data is posted on the dark web, a part of the internet where criminals conduct illegal business. Criminal organizations openly buy and sell stolen personal information at set prices. Bumble users’ Social Security numbers and banking information are being purchased by identity thieves and fraud rings. These criminals will use the data to commit fraud, file false tax returns, obtain government benefits, open fraudulent credit cards, and commit other crimes in the victims’ names. The data will circulate among criminal organizations for years.
What can I do to prevent this from happening again?
▾
Support efforts to hold Bumble accountable for this negligence. The lawsuit demands that Bumble implement comprehensive information security improvements, including encryption of all user data, regular security audits and penetration testing, mandatory employee cybersecurity training, two-factor authentication, and network segmentation. Additionally, demand that lawmakers strengthen data privacy laws and corporate accountability requirements. Require companies to implement security standards as a condition of collecting sensitive personal information. Support whistleblowers and journalists who expose corporate negligence. Minimize the personal information you provide to companies; share only what is absolutely necessary. Use credit monitoring and identity theft protection services. If you were a Bumble user, monitor your credit reports and accounts for fraudulent activity. Join the class action lawsuit to seek damages and ensure Bumble cannot profit from its negligence while users bear the costs of its failures.
Why didn’t Bumble implement basic security protections?
▾
Because security costs money, and prioritizing profit over user safety is standard corporate practice. Implementing two-factor authentication, employee training, data encryption, and security monitoring requires upfront investment and ongoing expense. Bumble chose to skip these protections and pocket the savings. The company bet that the risk of a breach was worth the cost savings. That bet was wrong, but the users pay the price. This is the logic of neoliberal capitalism: companies minimize safety investments and externalize costs onto users. When a breach occurs, the company faces legal liability, but individual users face a lifetime of identity theft risk. The system incentivizes negligence.
Is Bumble facing any meaningful punishment?
▾
Not yet. This is a class action lawsuit filed in February 2026, and legal processes move slowly. The company faces potential damages, but there is no guarantee those damages will be substantial or that executives will face personal liability. Bumble has already extracted value from millions of users by collecting their data while promising false security. Even if the company loses this lawsuit, it may settle for a fraction of the harm caused. Individual users suffer a lifetime of consequences while the company’s executives face no criminal charges. This pattern is repeated across corporate America: massive harm to ordinary people, followed by lawsuits that drag on for years, sometimes resulting in settlements that enrich lawyers more than victims. Real accountability would include criminal prosecution of executives and forced implementation of security standards.
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
