The popular gay dating service Manhunt was hit by a huge data breach in February that allowed hackers to steal thousands of user accounts.
TechCrunch reports that the app, which claims to have six million male members, admitted the hack in a notice filed with the Washington attorney general on 1 April.
The notice reveals that Manhunt only realised its security had been breached in early March, approximately a month after it happened.
“On March 2, 2021, Manhunt discovered that an attacker had gained access to a database that stored account credentials for Manhunt users,” it states.
“The attacker downloaded the usernames, email addresses and passwords for a subset of our users in early February 2021.”
The notice did not say if the passwords were securely encoded in a scrambled format or if they were stored in plain text.
Stacey Brandenburg, an attorney for Manhunt, said in an email to Techcrunch that 11 per cent of Manhunt users were affected by the breach.
The app says it “immediately took steps to remediate the threat and secure its systems” with a forced reset for passwords of affected accounts.
“Manhunt takes the security of its users very seriously,” the notice claimed, adding that it would be notifying affected users with an email and an inbox message.
However, questions remain about how the dating service handled the breach, as it wasn’t until mid-March that the app began alerting users to begin password resets to protect their account information.
On 21 March the company tweeted: “At this time, all Manhunt users are required to update their password to ensure it meets the updated password requirements.”
But users weren’t ever made aware of the hack itself, or that their information might have been stolen.
Manhunt is owned by the parent company Online-Buddies, which also owns the gay dating app Jack’d – and it’s not the first time they’ve experienced security problems.
In 2019, Jack’d also experienced a massive data breach that exposed sensitive personal data including private photos and user locations.