Manhunt, a gay dating app that claims to have 6 million male members, has confirmed it was hit by a data breach in February after a hacker gained access to the company's accounts database.
In a notice filed with the Washington attorney general's office, Manhunt said the hacker "gained access to a database that stored account credentials for Manhunt users," and "downloaded the usernames, email addresses and passwords for a subset of our users in early February 2021."
The notice did not say how the passwords were scrambled, if at all, to prevent them from being read by humans. Passwords scrambled using weak algorithms can sometimes be decoded into plain text, allowing malicious hackers to break into their accounts.
Following the breach, Manhunt force-reset account passwords and began alerting users in mid-March. Manhunt did not say what percentage of its users had their data stolen or how the data breach happened, but said that more than 7,700 Washington state residents were affected.
Stacey Brandenburg, an attorney for ZwillGen on behalf of Manhunt, said in an email that 11% of Manhunt users were affected.
Read more on TechCrunch
But questions remain about how Manhunt handled the breach. In March, the company tweeted that, "At this time, all Manhunt users are required to update their password to ensure it meets the updated password requirements." The tweet did not say that user accounts had been stolen.
Manhunt was launched in 2001 by Online-Buddies Inc., which also offered gay dating app Jack'd before it was sold to Perry Street in 2019 for an undisclosed sum. Just months before the sale, Jack'd had a security lapse that exposed users' private photos and location data.
Dating sites store some of the most sensitive information on their users, and are frequently a target of malicious hackers. In 2015, Ashley Madison, a dating site that encouraged users to have an affair, was hacked, exposing names, and postal and email addresses. Several people died by suicide after the stolen data was posted online. A year later, dating site AdultFriendFinder was hacked, exposing more than 400 million user accounts.
In 2018, same-sex dating app Grindr made headlines for sharing users' HIV status with data analytics firms.
In other cases, poor security — in some cases none at all — led to data spills involving some of the most sensitive data. In 2019, Rela, a popular dating app for gay and queer women in China, left a server unsecured with no password, allowing anyone to access sensitive data — including sexual orientation and geolocation — on more than 5 million app users. Months later, Jewish dating app JCrush exposed around 200,000 user records.
Updated with comment from a company attorney.
Know something, say something. Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more.