Cyber Incident Victim: Badoo
Date:
Jun 2016
Location:
United Kingdom
Summary
A major dating platform experienced a compromise of user records, including email addresses, names, birthdates, and passwords hashed with the vulnerable MD5 algorithm, which were actively traded online. The dataset reportedly contained over 127 million entries, with samples indicating over half of tested accounts remained active. Weak password practices were evident, including nearly 50,000 instances of the password "badoo." The company denied any breach occurred, asserting its systems remained secure despite external claims. A notable overlap emerged with another unrelated dating service's alleged breach data, sharing over 28 million email addresses, though the connection between the datasets remained unexplained. Third-party breach monitoring services validated portions of the data's authenticity through active account testing.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In June 2016, cybersecurity monitors identified a significant data breach involving user records from the dating platform Badoo, which claimed over 313 million users globally. The breach dataset, traded on underground forums and later uploaded by the subscription service Leaked Source, contained 127,343,437 records according to multiple sources, though Motherboard could not independently verify the full scale. The compromised information included email addresses, names, dates of birth, and passwords hashed with the MD5 algorithm—a method widely regarded as cryptographically weak and easily crackable by attackers. Analysis of three 10,000-record samples provided to Motherboard revealed that 54% of accounts were active on Badoo at the time of testing, while 23% corresponded to incomplete registrations lacking email confirmation. Approximately 50,000 passwords in the dataset were the trivial string "badoo," indicating poor password hygiene among affected users. Motherboard’s attempts to contact victims via email yielded no responses, with many messages failing to deliver. The exact timing of the breach remained unclear, as no party possessing the data could specify when the compromise occurred.
Badoo’s corporate response, delivered via spokesperson Joelle Hadfield, categorically denied any system intrusion, asserting that internal investigations found no evidence of a breach and emphasizing continuous security monitoring. This statement mirrored language used by dating site Zoosk in May 2016 when facing similar breach allegations, though forensic connections emerged between the two incidents. Leaked Source identified 28,685,533 unique email addresses common to both the Badoo dump and data previously attributed to Zoosk, including accounts with the domain "@mobile.badoo.com." While the precise relationship between the Zoosk and Badoo datasets remained unresolved, the overlap suggested potential data aggregation from multiple sources or indirect harvesting methods. Despite Badoo’s denial, the confirmed circulation of its user records in cybercriminal markets demonstrated ongoing risks to consumer data integrity irrespective of corporate disclosures. The incident underscored challenges in breach attribution and the latent exposure of user credentials even when companies dispute compromise claims.