Mate1.com, an international online dating site that claimed approximately 36.5 million users globally, suffered a data breach in approximately February 2016 when an attacker compromised Mate1.com's MySQL database server through what the attacker described as shell or command access to the server. The attacker subsequently posted an advertisement on the dark-web forum Hell offering the stolen data for sale at approximately 20 Bitcoin (approximately $8,700 at the time), and the data was confirmed to have been sold to at least one buyer. The hacker stated that the original dump contained approximately 40 million accounts and was reduced to approximately 27 million after the hacker removed bot accounts identified by a common password pattern. Mate1.com did not initially acknowledge the breach, and Motherboard's verification process confirmed that 498 of 500 sampled email addresses corresponded to actual Mate1.com accounts.

The breach affected approximately 27.4 million subscribers based on records indexed by Have I Been Pwned and DataBreach.com. Compromised fields included email addresses, names, usernames, dates of birth, gender, sexual fetishes, drug use habits, drinking habits, smoking habits, political views, religion, ethnicities, income levels, job titles, education levels, parenting plans, fitness levels, physical attributes, geographic locations, relationship statuses, personal descriptions, astrological signs, travel habits, work habits, website activity records, and passwords stored in plaintext. The plaintext password storage represents a critical security failure that exposes the original credential values directly to anyone with access to the dataset, with no cryptographic protection of any kind. Independent verification by Troy Hunt confirmed the plaintext-password storage by testing Mate1.com's password-reset feature, which emailed the user's actual plaintext password rather than triggering a reset.

For affected users, the practical risk profile is among the most severe in the dating-platform breach corpus because of the unusually broad and sensitive field set combined with plaintext password exposure. The combination of name, email, date of birth, geographic location, job title, income level, and political and religious views creates substantial identity-fraud, employment-targeting, and discrimination risk. The exposure of sexual fetishes, drug use habits, and political views creates targeted harassment, doxxing, and extortion risk that varies significantly across user populations. Affected users may face employment, relationship, and family consequences depending on which fields are most sensitive in their personal context. The plaintext password exposure means that any account where the user reused the Mate1.com password is fully compromised. Affected users who receive extortion attempts should not pay ransom demands because payment does not stop further extortion. Users should change all reused passwords immediately, enable two-factor authentication where available, document any extortion communications, and report extortion attempts to law enforcement. Because Mate1.com did not require email verification at account creation, individuals who find their email address in the dataset but who do not recall ever creating a Mate1.com account may have had their email used by another party to create an account, which is itself a risk worth investigating.

Dating platforms collect profile data, photos, messages, account records, and subscription activity tied to online matchmaking workflows.

Mate1.com initially did not acknowledge the breach when it was disclosed on the dark-web forum Hell in late February 2016, with no public statement appearing on Mate1.com's website at the time of the original Motherboard reporting. Independent verification by Have I Been Pwned founder Troy Hunt and security researchers documented that Mate1.com continued to store user passwords in plaintext for months after the breach, with the password-reset functionality returning the user's actual plaintext password by email rather than triggering a password-reset workflow. The case has been widely cited in dating-platform cybersecurity coverage as illustrating systemic data-protection failures at large general-interest dating services in the post-Ashley Madison period and as one of the leading examples of the persistent plaintext-password storage pattern in the dating-platform sector. The breach was redistributed and indexed by DataBreach.com on November 30, 2024.