Tinder Data Breach (2013)

Mobile dating app Tinder appears to have exposed the physical location of its users for much longer than a “few hours,” as the company’s chief executive claimed. New evidence suggests the privacy breach dated back at least two weeks. + Quartz reported yesterday that the data files sent from Tinder’s servers to its apps had been revealing sensitive information about users, including their last known location and Facebook ID. Reaction to the piece centered on the fact that Tinder hasn’t disclosed the issue to its users. CEO Sean Rad said one reason they haven’t is that the breach didn’t last very long: ”An engineer basically found a hole that was there for like an hour,” he said in an interview yesterday. + But that wasn’t the first time the issue reared its head. Interviews with several people who have worked with Tinder’s API, which is how the company’s servers communicate with its apps, extend the timeline of the privacy breach considerably. Exactly when the issue began and at what points it remained a problem are still unclear. The company won’t provide details on the timing. + Rad hasn’t returned emails and phone calls seeking comment today. Justine Sacco, a spokeswoman for IAC, which owns Tinder, acknowledged the earlier breach but said it was fixed quickly, which isn’t supported by Quartz’s reporting. In a statement today, Sacco said: + On two different occasions, we became aware that our API was returning information that it should not have been. In both occasions, we promptly addressed and fixed the glitch. With respect to location data, we do not store the current location of a Tinder user but rather a vague/inaccurate point in space. We are extremely committed to upholding the highest standards of privacy and will continue to take all necessary steps to ensure our users’ data is protected from internal and external sources. + Tinder informed on July 8 Mike Soares, an engineer in San Francisco, says he discovered the issue on July 8 and immediately informed the company in an email to help@gotinder.com. The subject line was, “Privacy Hole With Your App,” and it detailed how Tinder’s API was returning more information than necessary, including the location and Facebook data. + Tinder needs to record each user’s last known location in order to suggest other people within a certain distance. But no one is supposed to see a user’s exact location, a privacy violation that could be considered especially egregious because Tinder is used to find people to hook up with. An introductory screen when first signing up for Tinder assures, “Your location will never be shown to other users.”