As reported by Gizmodo and Tom’s Guide, 70’000 profile pictures of (probably) 16’000 female Tinder users have been “stolen” by hackers. Before we get to the story, I’d like to explain the placement of quotation marks (and clarify that they do not actually indicate a direct quote).

These pictures weren’t so much “stolen” from Tinder or its users as they were scraped by abusing Tinder’s API. That is to say a/some hacker/s found a way to interact with Tinder’s programming interface in such a way to automatically copy and download thousands of users’ pictures. The word hacker meanwhile hasn’t been put in quotation marks because even though it and its verb are frequently over- and misused, it would certainly take a computer savvy person to do something like this and that is basically the whole definition of the word.

Now that the obligatory pedantry is out of the way, let’s get to the actual story:

Women’s Tinder pictures are being traded on cyber-crime forums. For what reason, and what should you do about it?

These scraped profile pictures, along with a text file containing 16k user IDs were recently discovered by Aaron DeVera, a security researcher with White Ops on a “cyber-crime forum”. It is not clear from the reports if this was a dark web site, but it seems intuitive to assume so.

Tinder, meanwhile, have commented the incident with the usual boiler plate PR speak. They are “[very concerned]”, “[take user privacy seriously]”, yada yada yada. The do not appear to plan on notifying affected users. Probably out of a mixture of considerable effort involved, minimizing user awareness of the incident, no concrete actions to be taken by the user, and no legal requirement to do so.

See also: Tinder is Sharing Sensitive User Data with Advertisers

What are the implications?

Privacy

Obviously one would intuitively feel their privacy violated if one’s online dating picture were made public. And yes, there is some violation of privacy to speak of here, but it has to be put into perspective.

For one, these pictures were already online and could (theoretically) be seen by all Tinder users. The only difference is that now they can be seen by non-Tinder-users, and of course there is a concern as to what these pictures could be used for. But anyone can at any time take a screenshot of a Tinder profile and use that screenshot for whatever they like, as long as they are willing to risk or suffer the potential consequences. The difference lies in the quantity of images taken.

Legality

This abuse of Tinder’s API clearly violates their user agreement. But that’s just about it. Tinder’s user agreement or terms of service are not law, and all they can do is ban the individual(s) in question. The mere act of copying user pictures is very likely not illegal, and even sharing them might still technically be legal. What happens next might not be, but Tinder can’t do much about what happened, from a legal perspective.

The related dump of user IDs could be more problematic, assuming we’re not talking about publicly visible first names.

What will the “stolen” pictures be used for?

This one is open to anyone’s guess. A few currently circulating speculations include:

Training facial recognition AIs, as has already happened in the past.

Creating fake user profiles, both… for individual use, i.e. by scammers and catfishers for skeevy dating sites to give the impression of a larger female population. See also: Match Group, owner of Tinder.



My own theory on a possible use case is to add the more attractive pictures of this dump to the fake collages of supposedly featured women on “Girlfriend Revenge” type porn sites’ landing pages.

The latter two cases would certainly be more concerning for the affected users, which brings us to:

What can you do if your pictures were traded?

The short answer is: Not much.

There is no real reason to change any passwords, as this was not that type of hack, and there is no indication any passwords were compromised.

There is nothing you can do about your images you uploaded to Tinder being stored on somebody else’s computer now. There’s a good chance that was already the case anyway (screenshots by people who saw your profile on Tinder and liked it, a lot.)

You can try inquiring with Tinder support about whether your profile was affected, but I wouldn’t expect a useful response.

The only scenario in which any action on your part would be advisable is if you find your pictures used fraudulently. Be it fake social media accounts, ads, or in more lewd applications, if your likeness is used in such a manner, you can contact the responsible site administrator to request they be removed, and/or inquire with law enforcement about your options.

What can you do to prevent something similar happening to you, your pictures, or your data in the future?

As for the exact same thing happening to you: Delete your Tinder account and don’t sign up for a new one. That’s about it, apart from hoping Tinder will protect your privacy more effectively in the future. Don’t expect any other services to do much better either though.

As for keeping your private data private in general:

Don’t use any social media at all

Don’t use dating services

Don’t use your real name or any sensitive data anywhere on the internet

Don’t use any google products, including Android

Obviously, that is not practical for 99% of the population. To at least mitigate the risk somewhat:

Don’t use your real name for your google account

Don’t use Gmail, or be okay with google reading your emails

Don’t use social media, or if you do, do not supply more private information than absolutely necessary and go through the site’s privacy settings, unchecking anything you’re not comfortable with. Example: Don’t supply your phone number to Facebook. I mean, just why would you?

Don’t use WhatsApp (or facebook messenger for that matter), or be okay with Facebook storing your private conversations. Alternative: Telegram or Signal.

Be very aware that any information or images you put online may very well stay there forever and be seen by just about anyone. So don’t put anything online that you are not comfortable with your friends, family, and employer seeing, let alone basically anyone anywhere. Of course there are different degrees of risk and you can usually trust your bank more than adultfriendfinder.

For more advice, visit any number of privacy concerned websites or groups such as r/privacy.

See also: Tinder is Sharing Sensitive User Data with Advertisers