Norwegian Consumer Council "Out of Control" report (January 2020): OkCupid shared GPS location, sexual orientation, drug use, and political views with at least 135 third-party companies including Google, Facebook, and data brokers. Data transmitted included answers to intimate questions like "Have you ever used drugs?" tagged with device ID and GPS coordinates. The Norwegian Data Protection Authority received formal GDPR complaints. Data was shared in ways that enabled individual identification — your sexual orientation, your GPS coordinates, your device ID, all bundled together.

BuzzFeed News investigation (April 2018): Grindr shared users' HIV status, last test date, and GPS location with two analytics companies — Apptimize and Localytics. The data was transmitted with users' phone IDs, meaning HIV status could be linked to specific individuals. After public outrage, Grindr stopped sharing HIV status but defended the practice as normal. Antoine Pultier at SINTEF: "The HIV status is linked to all the other information. That is the main issue."

French journalist Judith Duportail filed a GDPR Subject Access Request and received 800 pages of data Tinder had collected on her. The data included: every conversation she'd had, the ages and genders of men she swiped on, how often she logged in, where she logged in from, which friends she had on Facebook, her interests, how many Facebook photos she had, when and where every conversation happened, and a secret internal "desirability score." Guardian investigation, September 2017.

Match Group 2023 10-K SEC filing: "Our financial performance depends on successfully retaining existing users and attracting new users." Match Group revenue: $3.2 billion (2023). Hinge launched "designed to be deleted" in 2019 — the same year Match Group completed its IPO. Hinge revenue grew from ~$197M (2021) to ~$400M (2023). Match Group's stock price drops when user counts decline. Every person who deletes Hinge is a lost subscriber worth $200-480/year.

FTC sued Match Group (September 2019): Match.com sent "You caught his eye" and "Someone's interested in you!" emails using messages from accounts Match knew were likely fraudulent. Between June 2016 and May 2018, approximately 25-30% of new Match.com accounts were fraudulent. Match still used their messages to lure free users into buying subscriptions at $203-480/year. FTC: "We believe Match.com conned people into paying for subscriptions via messages the company knew were from scammers." Internal data showed users who received these messages purchased subscriptions at higher rates.

Security researcher Robert Heaton demonstrated in 2018 that Bumble's distance feature could be exploited using trilateration to pinpoint users' exact locations. Separately, ISE Labs (Independent Security Evaluators) found Bumble's API exposed precise user locations, even for users who had disabled location sharing. The vulnerability was disclosed to Bumble, which took months to fully patch. In 2023, Bumble confirmed another location data exposure affecting users who had specifically opted out of location sharing.

The 2012 breach exposed 1.5 million passwords hashed with unsalted SHA-1 in case-insensitive form. Trustwave cracked 80% within 72 hours using basic dictionary attacks. No salting, case normalisation — elementary errors well below industry standard for 2012.