Cyber Incident Victim: Manhunt
Date:
Feb 2021
Location:
United States of America
Summary
A gay dating service experienced a data breach when a hacker compromised its accounts database, stealing usernames, email addresses, and passwords for a subset of users. The company force-reset account credentials and alerted affected individuals weeks later, confirming approximately 11% of its user base was impacted. While the notice did not specify encryption methods for stored passwords, weak hashing practices could have exposed credentials to plaintext recovery. The breach disclosure followed initial public communications urging password updates without explicitly acknowledging the theft. This incident reflects broader security challenges within dating platforms, which often manage highly sensitive personal data and face frequent targeting by malicious actors.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early February 2021, a hacker breached Manhunt, a gay dating platform operated by Online-Buddies Inc., gaining unauthorized access to a database containing user account credentials. The attacker downloaded usernames, email addresses, and passwords for a subset of Manhunt's claimed 6 million male members. The company confirmed the incident in a notice filed with the Washington attorney general’s office, revealing that over 7,700 Washington state residents were impacted. Stacey Brandenburg, an attorney representing Manhunt, later disclosed that approximately 11% of the platform’s total user base was affected, though the company did not specify the global number of compromised accounts or the exact method of intrusion. Manhunt’s notice omitted critical technical details about password security practices, leaving uncertainty about whether passwords were protected with strong encryption or vulnerable to decryption. Following the breach, the company initiated a forced password reset for all users in mid-March 2021, citing updated password requirements in a public tweet that did not explicitly acknowledge the data theft. This delayed and incomplete disclosure raised questions about transparency in their breach response.
The incident occurred against a backdrop of repeated security failures in the dating app industry, particularly affecting LGBTQ+ platforms. Manhunt’s parent company, Online-Buddies, had previously owned Jack’d, which experienced a security lapse exposing private photos and location data months before its 2019 sale. Historical precedents included the 2015 Ashley Madison breach linked to suicides, AdultFriendFinder’s 400 million-account exposure in 2016, and Grindr’s 2018 sharing of HIV status data. The breach highlighted persistent risks associated with platforms storing highly sensitive personal information, including sexual orientation and communication patterns. Manhunt’s containment efforts focused solely on credential resets and state-mandated notifications, without public clarification of the attack vector or measures to prevent recurrence. The compromised credentials exposed users to potential account hijacking, credential-stuffing attacks, and extortion risks, particularly given the platform’s focus on discreet connections. No evidence suggested leaked data was publicly distributed as of the April 2021 disclosure, though the company provided no ongoing monitoring or detailed forensic findings to users.