Grindr: Alleged Sale of 15 Million User Records

"A threat actor has listed an alleged Grindr database containing more than 15 million user records for sale on a cybercrime forum, according to reporting by BreachNews on June 2, 2026. The listing, which surfaced on June…"

A threat actor has listed an alleged Grindr database containing more than 15 million user records for sale on a cybercrime forum, according to reporting by BreachNews on June 2, 2026. The listing, which surfaced on June 1, 2026, includes deeply sensitive profile data tied to one of the world's largest LGBTQ+ dating platforms. Grindr has not confirmed a breach, and BreachNews has not independently verified the authenticity of the dataset.

What Happened

On June 1, 2026, a seller posted a thread on a known cybercrime forum advertising what they describe as a complete Grindr user database containing over 15 million records. The actor is requesting payment in cryptocurrency and has published sample records to substantiate their claim. The asking price reported by BreachNews is approximately $400, an unusually low figure for a dataset of this purported scale and sensitivity, which itself raises questions about whether the listing reflects a genuine fresh compromise, a repackaging of older or scraped data, or an outright fabrication.

BreachNews analysts reviewed the sample records and found them to be highly structured and internally consistent, with activity timestamps extending into late May and early June 2026. However, the publication explicitly cautioned that consistency alone does not confirm the data originated from Grindr's production systems, nor that the seller actually possesses the full 15 million records advertised.

What Was Taken

According to the sample reviewed by BreachNews, the fields present in the alleged dataset are extensive and include:

User IDs, email addresses, usernames, display names, and real names
Bcrypt password hashes and OAuth identifiers for Google and Apple sign-in accounts
Hashed phone numbers
Dates of birth, city and country, and precise latitude and longitude coordinates
Sexual orientation and HIV status disclosures
Profile biographies, preferences, and profile completion metrics
Subscription tier and premium account verification status
Device types, IP addresses, timestamps, and activity metrics

The presence of HIV status, precise geolocation, and sexual orientation alongside identity-linking fields such as email, name, and OAuth identifiers makes this dataset extraordinarily sensitive, even relative to typical dating-platform breaches.

Why It Matters

Grindr serves a predominantly LGBTQ+ user base, including many users in jurisdictions where same-sex relationships are criminalized or where outing carries severe social, legal, or physical risk. Exposure of geolocation data combined with HIV status and orientation creates direct safety risks that go far beyond standard identity theft or credential stuffing concerns. Historic incidents involving Grindr data have already drawn regulatory action in Europe over the sharing of HIV status and precise location with third parties, and any confirmed compromise of this scope would invite renewed scrutiny from data protection authorities under GDPR, the UK Data Protection Act, and U.S. state privacy laws.

For threat intel teams tracking extortion, doxing, and targeted harassment campaigns, the dataset, if authentic, would represent a high-value resource for adversaries conducting sextortion, blackmail, or state-level targeting of LGBTQ+ individuals.

The Attack Technique

No intrusion vector has been publicly disclosed. The seller has not described how the data was obtained, and Grindr has not issued a statement confirming or denying a breach as of publication. The presence of bcrypt password hashes alongside OAuth identifiers is consistent with a database-level extraction rather than client-side scraping, but this remains an inference from the sample structure rather than a confirmed finding. Possible vectors under consideration include compromise of a production database, exposure via a third-party vendor or analytics integration, an insider threat, or an exposed cloud storage bucket. Until Grindr or independent forensic researchers publish findings, attribution and methodology remain unverified.

What Organizations Should Do

Grindr users should rotate credentials immediately, especially any password reused on other services, and enable multi-factor authentication on the account and any linked Google or Apple identity providers.
Monitor for credential stuffing and account takeover attempts against services where users may have reused their Grindr password or email address.
High-risk users in hostile jurisdictions should review their account profile, consider removing or anonymizing sensitive disclosures, and assume that geolocation, orientation, and health status fields may be in adversary hands.
Enterprise security teams should treat the dataset as a credible source for targeted phishing and social engineering, particularly campaigns aimed at executives or employees whose Grindr usage could be leveraged for coercion.
Privacy and compliance teams at consumer platforms holding similarly sensitive special-category data should review database access controls, audit third-party vendor access, and validate that bcrypt hashing parameters meet current standards.
Threat intelligence teams should monitor the forum thread, mirrored listings, and Telegram channels for proof-of-life samples, price drops, or partial leaks, which often follow when a sale stalls.

Sources: Threat Actor Claims Sale of 15 Million Grindr User Records | BreachNews