Cyber Incident Victim: OkCupid

In early February 2019, multiple OkCupid users reported unauthorized access to their accounts on the dating platform, with incidents occurring ahead of Valentine’s Day. News outlets documented these account compromises, prompting OkCupid to issue a public statement on February 11, 2019, denying any security breach within its systems. The company attributed the incidents to credential stuffing attacks, where cybercriminals used login credentials stolen from other platforms to gain unauthorized access to OkCupid accounts. OkCupid emphasized that account takeover attempts were a constant occurrence across all websites and stated there had been no increase in such activity on their platform. The company’s Help page explained that compromised credentials typically resulted from password reuse across multiple services or easily guessable passwords, rather than a direct breach of OkCupid’s infrastructure. Security experts cited the availability of billions of compromised credentials from 2018 data breaches on dark web markets as a likely source for these attacks.

The incident highlighted OkCupid’s lack of two-factor authentication (2FA), a security measure that could have prevented unauthorized access even with compromised credentials. While the company did not disclose the number of affected users, the compromises led to loss of account access and potential exposure of personal data for impacted individuals. OkCupid’s response focused on user education, directing customers to existing Help page guidance about password security risks without implementing new technical safeguards. Security professionals observed that the incident exemplified broader challenges with credential reuse and phishing vulnerabilities across consumer applications. The dating platform maintained its position that no breach had occurred and characterized the reports as a routine cybersecurity occurrence rather than a platform-specific failure.