Grindr — alleged 15M+ user database listing
Forum seller listed an alleged 15-million-record Grindr database for $400 covering bcrypt hashes, geolocation and HIV-status field; Grindr has not commented.
- Target
- Grindr — alleged 15M+ user database listing
- Date public
- 3 June 2026
- Sector
- Technology
- Attack type
- Data Breach
- Threat actor
- nilojeda (forum alias)
- Severity
- Medium
- Region
- Global (US-headquartered, West Hollywood, CA)
On 3 June 2026 a seller using the alias “nilojeda” advertised what they claim is a complete Grindr user database on an underground forum, asking $400 in cryptocurrency (LTC, ETH, USDC or USDT). The listing claims more than 15 million records and lists a long field set: usernames, display and legal names, email addresses, bcrypt password hashes, OAuth subject hashes, phone-number hashes, gender, sexual orientation, date of birth, city, country, precise latitude and longitude, physical attributes, HIV status and last-tested date, signup IPs, device type, user-agent string, locale, account status, premium plan and recent activity. Sample timestamps the seller posted are dated as recently as May 2026. The price-to-volume ratio is the part that researchers flagged first: $400 for fifteen million records of a category-sensitive consumer service is well below market and is the usual signature of a scraped or third-party-leaked dataset rather than a core-database compromise. Grindr Inc. has not publicly commented, no regulator filing has been made, and no primary outlet has independently corroborated the listing.
This entry is filed in draft so the catalogue captures the claim without prematurely treating it as a confirmed breach. The stub will be promoted, rewritten or retired depending on what happens next.
What separates this from the usual leak-site noise is the field category, not the volume. Bulk email and bcrypt sets show up on forums every week; the value-add the seller is claiming is HIV status, last-tested date, sexual orientation, lat-long and signup IP correlated against a real name. That is the field combination that creates physical-safety risk for users in any jurisdiction where being LGBT+ is criminalised or socially policed. The defender lens here is the same lens every sensitive-category data controller has to apply: the controls that protect a marketing email list are not the controls that protect a health-status field tied to a precise location, and the dataset should not be treated as one homogeneous thing.
A deep-dive will follow if and when Grindr confirms an intrusion, a primary outlet independently verifies a sample, a regulator (ICO, CNIL, California AG) opens a formal enquiry, or the seller publishes a sample dataset that researchers can validate against known-good records.