50 million OKCupid users at risk due to security flaws — what to do now

okcupid on a Samsung smarttphone
(Image credit: Roman Pyshchyk / Shutterstock.com)

OkCupid, one of the world’s most popular online dating services and a mainstay among the best dating apps for mobile devices, has been left vulnerable to the threat of hacking as a result of several security flaws.

Researchers at cybersecurity firm Check Point discovered a range of dangerous flaws in the website and mobile app of the online dating service, which is used by more than 50 million people globally.

Data on daters

By leveraging these vulnerabilities, a hacker would have been able to view personal information such as full profiles, messages, email addresses, sexual orientation and other details that users input as part of OkCupid’s profiling process.

The flaws would have also allowed a cybercrook to conduct myriad hostile actions, like “manipulating user profile data and sending messages” from a users’ account -- all without them knowing. 

Check Point explained that a hacker could do these things by injecting malicious code into the back end of the OkCupid website and mobile apps.

Simple steps 

As part of this process, the hacker would have had to create a “single, malicious link” that would be distributed to users of the online dating service. 

A successful breach would have been a case of following three relatively simple steps, which are as follows:

  1. Threat actor generates a link containing a payload that initiates the attack
  2. Threat actor sends the link to the victim, or publishes it in a public forum
  3. Once the victim touches or clicks the link, the malicious code is executed, resulting in data exfiltration

Check Point said this attack “enables an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform, and to access any of the user's data”.

Oded Vanunu, head of products vulnerability research at Check Point, said: “Our research into OKCupid, which is one of the longest-standing and most popular applications in their sector, has led us to raise some serious questions over the security of dating apps.

“The fundamental questions being: how safe are my intimate details on the application? How easily can someone I don’t know access my most private photos, messages and details? We’ve learned that dating apps can be far from safe. 

“Every maker and user of a dating app should pause for a moment to reflect on what more can be done around security, especially as we enter what could be an imminent cyber pandemic. Applications with sensitive personal information, like a dating app, have proven to be targets of hackers, hence the critical importance of securing them.” 

Taking action

Since discovering the flaws, Check Point researchers have reported them to OKCupid and the dating site has issued fixes.

OKCupid said: “Check Point Research informed OkCupid developers about the vulnerabilities exposed in this research and a solution was responsibly deployed to ensure its users can safely continue using the OkCupid app.

“Not a single user was impacted by the potential vulnerability on OkCupid, and we were able to fix it within 48 hours. We're grateful to partners like Check Point who with OkCupid put the safety and privacy of our users first.”

This isn’t the first time that a dating website has been breached and seen user data put at the mercy of threat actors. 

To stay one step ahead of cybercrooks, you should generate strong passwords, ask yourself if you’re potentially sharing too much personal information online, only use reputable apps and download an antivirus solution. 

  • More: Stay anonymous without the spend with a cheap VPN
TOPICS

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!

Read more
Man stressed at computer
How to avoid romance scams
Surfshark graphic of 2024 data breaches
Nearly 700 million American records were leaked in 2024
DeepSeek logo on smartphone in front of computer data
Massive DeepSeek data leak exposes sensitive info for over 1 million users — what you need to know
Graphic of fibre optic cables attacking code
An estimated 46,000 VPN servers are vulnerable to being hijacked
A person typing on a computer while hackers use phishing to steal a file from their computer
It's Safer Internet Day – here are 5 tips to help you be safer online
An open lock depicting a data breach
The top 10 data breaches of 2024
Latest in Online Security
23andME box
23andMe has declared bankruptcy — here's how to delete your data now
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
A man filing his taxes electronically on a laptop
AI-powered tax scams are here - how to stay safe from deepfakes, phishing and more this tax season
MacBook Pro 2023
New Mac attack is tricking users into thinking their computer is locked — how to stay safe
Hacker using a stolen social security card
Your Social Security number is a literal gold mine for scammers and identity thieves — here’s how to keep it safe
An open lock depicting a data breach
Half a million teachers hit in major data breach with SSNs, financial data and more exposed — what to do now
Latest in News
Bill Gates in 2019
Bill Gates just predicted the death of every job thanks to AI — except for these three
NYTimes Connections
NYT Connections today hints and answers — Wednesday, March 26 (#654)
Gemini screenshot image
Google unveils Gemini 2.5 — claims AI breakthrough with enhanced reasoning and multimodal power
Samsung Galaxy Z Flip 6 review.
Samsung Galaxy Z Flip 7 design just teased in new cases leak — and the outer display is huge
Google Chrome
Chrome failed to install on Windows PCs, but Google has issued a fix — here's what happened
nyc spring day AI image
OpenAI just unveiled enhanced image generator within ChatGPT-4o — here's what you can do now