Dubsmash Data Breach
Dubsmash Video Messaging App Breach (2018): 161 Million User Records Including Passwords & Phone Numbers Exposed
Video messaging app.
Risk Interpretation
Exposure enables account takeover, impersonation, and social engineering. Media-linked identities increase reputational and targeting risk.
Impact & Downstream Threats
In December 2018 Dubsmash suffered a breach exposing approximately 161 million records — one of the larger social platform breach datasets of that era — including email addresses, full names, usernames, phone numbers, geographic locations, spoken languages, and hashed passwords. The data was offered for sale on dark web markets in 2019 as part of a large multi-platform bundle alongside other breached platform databases. Dubsmash notified affected users and prompted password resets. No settlement
- Credential stuffing against reused passwords across other platforms
- SIM swap attacks where phone numbers are present
- Targeted phishing campaigns using exposed email addresses
- Doxxing risk from physical address exposure
Threat Vectors
Breach Intelligence
Executive Summary
Dubsmash, a video messaging and lip-sync app, suffered a data breach in December 2018 that exposed approximately 161 million user records. The breach stemmed from a misconfiguration, allowing direct access to user data. The stolen data was later listed for sale on a dark web marketplace in 2019, bundled alongside databases from several other breached platforms, before circulating more broadly online. The exposed information included email addresses, full names, usernames, phone numbers, geographic locations, spoken languages, and hashed passwords. The passwords were protected using PBKDF2 hashing, which offers some resistance to cracking, but is not unbreakable. The combination of profile details and login credentials creates real risk for affected users, including account takeover, impersonation, and targeted social engineering attacks. Because Dubsmash was a media-linked platform where users built public personas, exposed identities carry additional reputational and targeting risk. Dubsmash notified affected users and required password resets following the breach. No regulatory action or legal settlement specific to this incident has been publicly documented. Reddit acquired Dubsmash in 2020 and shut the platform down in 2022, meaning affected users no longer have an active account to secure. However, anyone who reused their Dubsmash password on other services remains at risk and should change those passwords immediately.
About Dubsmash
Dubsmash was a video messaging and lip-sync app launched in 2014 that allowed users to record short videos of themselves miming to audio clips. The platform was popular in its early years as a precursor to TikTok-style short video content. Dubsmash was acquired by Reddit in 2020 following the breach, and Reddit subsequently shut down the standalone Dubsmash platform in 2022, integrating some of its video technology into Reddit's own features.
Why They Hold Your Data
Social video platforms collect user accounts, emails, behavioral data, and user-generated media content.
Recent Developments
Dubsmash no longer operates as a standalone platform. Reddit shut it down in February 2022, redirecting users to Reddit's native video features. The breach predates the acquisition and the shutdown.
Data Points Exposed
Exposure Categories
Canonical Fields
email_address, full_name, geographic_locations, password, phone_number, spoken_language, username
Dark Web Verification
- Dataset containing ~161.4M records identified in breach intelligence sources
- Data indexed and searchable across breach notification platforms
- Source: dubsmash.com-2018;Dubsmash Data Breach
Recommended Actions
⚠️ Do not assume this is low sensitivity.
Protect Yourself
Check If You’re Affected
Enter your email to check if your data appears in this breach.
Get Free Breach Alerts
Be the first to know when new breaches are disclosed.
High-Risk? Get an Exposure Audit
Full-spectrum exposure audits for executives and public figures.
ObscureIQ Advisory
We combine proprietary dark web access with commercial and restricted breach intelligence to verify exposure and assess real-world risk.
- A public-facing individual
- A high-profile executive
- A customer of Dubsmash
- Or concerned about credential reuse
Powered by the ObscureIQ Breach Intelligence Database
© 2026 ObscureIQ · All Rights Reserved · Data Licensing
Latest from ObscureIQ
What Is Credit Monitoring? And Do I Want It? (Answer: Not Really)
Lock Down Browsers. Wipe Employee Footprints. Win Breach Wars.
Sextortion Spam