A newly created cybercrime forum account is claiming to have obtained registration data belonging to approximately 20 million OkCupid users through alleged access to a privileged application programming interface (API).
The threat actor is offering the purported dataset for sale and claims the information was collected by scraping user registration data from the dating platform. BreachNews has not independently verified the authenticity of the dataset, the alleged access method, or the number of records claimed in the post.
The claim was published on June 8 by a forum account identifying itself as nolan. According to the account profile, the user joined the forum the same day the listing was posted and has no previously observed breach claims.
Actor alleges privileged API access
According to the post, the threat actor and unnamed associates allegedly obtained privileged access to an OkCupid API, allowing them to collect registration information associated with approximately 20 million users.
The actor claims to be selling the dataset and provided a sample through an external paste service. The post also references an escrow arrangement and includes what the actor describes as session-related information.
BreachNews is not publishing links, access details, session information, or other material that could facilitate unauthorized access or distribution of the alleged data.
Sample contains detailed user information
BreachNews reviewed a sample published by the threat actor and found records containing significantly more information than basic registration details.
The sample includes user identifiers, usernames, email addresses, full names, dates of birth, approximate geographic information, account creation dates, recent activity timestamps, and password hashes. Several records also contain phone numbers and messaging activity metadata.
The password hashes visible in the sample appear to use the bcrypt format, a commonly used password hashing algorithm. While the presence of bcrypt hashes does not verify the authenticity of the dataset, the structure and consistency of the records resemble data that may have originated from a production application.
However, the forum account behind the claim appears to have been created on June 8, 2026 and has no established posting history, prior breach listings, or publicly documented track record. New accounts occasionally emerge with legitimate data, but cybercrime forums also frequently attract actors seeking to exaggerate, recycle, or misrepresent datasets in order to generate sales.
The actor’s claim of access to 20 million user records would represent a significant exposure if authentic. However, no independent evidence has yet been presented publicly that confirms the alleged API access or validates the full scope of the dataset.
Dating platform data remains highly sought after
User information associated with dating services often carries elevated value within cybercriminal markets due to the combination of personal details, account identifiers, profile information, and potential reputational sensitivity.
Threat actors frequently use alleged dating platform datasets for extortion attempts, credential stuffing campaigns, phishing operations, and identity-based fraud. As a result, claims involving major dating services often attract significant attention even before their authenticity has been established.
At time of publication, OkCupid had not issued any public statement regarding the allegations.
