Cyber Incident Victim: Coffee Meets Bagel

On or around August 27, 2023, the dating platform Coffee Meets Bagel suffered a significant and disruptive cyberattack that resulted in a worldwide outage, rendering its services inaccessible to users. The company determined that the outage was the direct result of an outside actor maliciously breaching the company's systems and deleting critical company data and files. This destructive action caused the production servers to cease operating correctly, preventing users from signing into the application or communicating with their matches. The incident caused considerable frustration among the user base, as individuals were unable to coordinate planned dates or continue ongoing conversations during the service disruption. In response to the breach, the company's technology team worked swiftly to re-establish a secure environment, allowing them to begin the process of restoring production services from offline backups. Law enforcement agencies were notified of the incident shortly after its discovery.

The restoration process was a complex and extensive undertaking that required the team to work around the clock for several days. The company relied on offline backups to rebuild its system, a process that culminated in service being restored on September 3, 2023. Following the restoration of access, Coffee Meets Bagel launched a thorough investigation to understand the full scope of the incident. This investigation was described as ongoing, with the company also committing to further enhance its cybersecurity measures to prevent a recurrence. The company publicly emphasized that it does not take user trust lightly and plans to do everything in its power to ensure such an incident does not happen again. While the attack involved the deletion of data, the company did not explicitly confirm whether the incident was a ransomware attack that encrypted data or solely a destructive attack aimed at deleting information to bring down the service.

As a direct consequence of the attack and the subsequent logouts required for security, all users were automatically signed out of the platform. This was implemented as an extra security precaution following the breach. Consequently, every user was required to log back into their account using the exact same method and credentials they initially used for registration, such as a phone number or Facebook login. The company warned that using a different login method would initiate a new account setup, causing users to lose access to their existing account details, including subscriptions and matches. For iOS users who accidentally started a new sign-up flow, the recommended solution was to uninstall and reinstall the application before attempting to log in again with the correct original method.

To compensate users for the extended loss of service and the associated inconvenience, Coffee Meets Bagel implemented a comprehensive package of remedial measures. All active chats were automatically extended by seven days to account for the time lost during the outage. For subscribers with active paid Premium or Mini subscriptions at the time of the incident, their subscription benefits were extended by an additional 14 days at no cost. This extension applied even to subscriptions that had expired during the outage period; those users were given a free subscription for 14 days post-expiration without being billed. Furthermore, any account that was active in the 14 days preceding the outage received a credit of 1,000 free beans, the platform's in-app currency, to help users resume liking and matching with potential partners.

The company also addressed specific user actions that occurred on the day the service was disrupted. Any user who sent a Discover Like or flowers to matches on August 27 was refunded an additional item of the same type back to their wallet. This refund was issued universally to all users who performed those actions on that date, regardless of whether their like or gift was successfully received by the intended match, as the company acknowledged a small chance it may not have gone through due to the ongoing attack. Similarly, any user who had boosted their profile between August 20 and August 27 was promised an additional Boost credit added to their wallet for future use. However, the Boost feature itself was temporarily disabled for maintenance following the restoration of service, so users were advised that the credit would appear once the feature became operational again.

In the days following the service restoration, the platform experienced several lingering technical issues as the engineering team continued to stabilize the rebuilt system. These issues included some active chats disappearing for certain users, though logging out and back in was reported to resolve the problem in many instances. The match system was also described as "warming up," resulting in users potentially seeing fewer potential matches in their Suggested or Discover sections initially, with the expectation that this would normalize within a few days. The Boost feature remained offline for maintenance, with the company committing to re-enable it and restore all promised Boost credits in the near future. Users were encouraged to ensure push notifications were enabled to receive updates on the feature's availability.

The company provided specific reassurances to users regarding their data and activity during the outage. Coffee Meets Bagel confirmed that during the period of inaccessibility, the platform stopped sending out potential matches, known as "bagels," and likes, ensuring that users did not miss out on any potential connections while the service was down. Furthermore, the company addressed concerns about social dynamics, explicitly stating that no users should feel they were "ghosted" by their matches because the platform was completely down for everyone simultaneously, placing all users in the same situation. Regarding data security, the company stated that sensitive payment information and images of driver's licenses or passports were not stored on its systems and were processed through third-party vendors, implying these specific data types were not at risk in this particular incident.

This cyberattack was not the first security incident for Coffee Meets Bagel. The company had previously disclosed a data breach on Valentine's Day in 2019, which resulted in the exposure of user email addresses and names. The 2023 incident, however, was distinct in its destructive nature, focusing on disrupting service availability rather than the exfiltration of personal user data. The primary impact was operational, causing a multi-day global outage that required a complete rebuild from backups. The company's response focused on restoring service integrity, compensating affected users, and initiating a law enforcement investigation while continuing to enhance its cybersecurity posture in the wake of the attack.