Coffee Meets Bagel — the worst-named dating app in an extremely competitive field — spent Valentine’s Day performing one of the more intimate acts a company can engage in: Informing its users of a data breach.
“We recently discovered that some data from your Coffee Meets Bagel account may have been acquired by an unauthorised party,” the email, which was sent to an unknown number of users including one Gizmodo staffer, begins. The company claims to have learned of the breach—affecting names and email addresses stored in the app prior to May 2018 — on Monday.
The party who “gained access to a partial list of user details” has not been named. Coffee Meets Bagel wrote in their email to users that it had retained a forensic security company to assist in investigating, and is actively coordinating with law enforcement.
As with many dating apps, Coffee Meets Bagel allows users to sign up using their existing Facebook credentials. The company said today that only name and email data was affected by the breach, but we all know how these things can go.
In a statement to Gizmodo, Coffee Meets Bagel acknowledged the inopportune timing of today’s announcement, saying, “we informed our community as soon as possible — regardless of what calendar date it fell on,” and emphasised the limited scope of the breach:
Beyond emails and names, no other CMB user information was compromised. This was part of a larger breach affecting 620 million accounts that got leaked across sixteen companies, as reported by The Register.
In that story, published Monday, The Register reported that a dark web vendor was offering data from 6,174,513 Coffee Meets Bagel accounts for 0.13 bitcoin (about $646) before the marketplace was taken down.