Justdate.com 2016 Data Breach

Justdate.com Dating Platform Exposure (2016): 24 Million Records :: Largely Unverified | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

n/a (FABRICATED per Troy Hunt)DatingDate of BirthEmail AddressFull NameGeographic Location
High SeverityWebsite / service breach

Justdate.com Dating Platform Exposure (2016): 24 Million Records :: Largely Unverified

Online dating platform (now defunct).

Verified by ObscureIQ Intelligence
65/100Breach Risk Index
25Data Value
25Market Recency
455dSince Breach

Breach Intelligence Summary

Entity: Justdate.com · Actor: n/a (FABRICATED per Troy Hunt) · Sources: 11 references
Attack: Unknown
Profile: Platform · Online dating and matchmaking · General dating platform · Global
Timeline: Breach (2016-09-29) · Indexed (Jan 27, 2025) · Year (2016)
Exposure: 24.5M records · 4 fields: Date of Birth, Email Address, Full Name, Geographic Location
Status: Confirmed

Executive Summary

The Justdate.com record concerns an alleged data breach that began circulating in approximately September 2016 and was claimed to contain over 24 million records from the dating website Justdate.com. The dataset was purported to contain personal information including email addresses, names, dates of birth, and geographic locations. Have I Been Pwned founder Troy Hunt conducted verification of the data by contacting HIBP subscribers whose email addresses appeared in the dataset to confirm whether they had signed up for Justdate.com, and the verification process produced results inconsistent with an authentic breach. Of the approximately twelve respondents Hunt contacted, none recalled signing up for Justdate.com or any service of that nature, and a significant proportion reported that the birth dates, postcodes, and country values in the dataset were inaccurate. Hunt's verification process also included account-enumeration attempts via the Justdate.com password-reset and registration flows, which returned negative results indicating the alleged accounts did not exist on the actual Justdate.com platform. Based on this verification, Have I Been Pwned classified the Justdate.com record as fabricated when adding it to the HIBP database on February 7, 2017. The fabricated classification indicates that it is highly unlikely the data was sourced from an actual breach of Justdate.com, and that the data may have been aggregated from other locations or invented entirely while still containing real email addresses obtained from unrelated sources. The introduction of the fabricated designation was specifically motivated by this case, with Hunt creating the new classification because the Justdate.com data fell beneath the confidence threshold for inclusion as merely 'unverified.' For individuals whose email addresses appear in the fabricated Justdate.com dataset, the practical risk profile is materially different from authentic dating-platform breaches. Inclusion in this dataset does not provide reliable evidence that the individual ever interacted with Justdate.com, and the associated personal attributes including dates of birth, names, and geographic locations are likely inaccurate for many records. The primary residual risk is the use of the email address itself in extortion campaigns or phishing campaigns that reference Justdate.com or imply a dating-platform account relationship. Affected individuals who receive extortion emails referencing Justdate.com should not pay ransom demands because the underlying data is fabricated and the implied account relationship cannot be substantiated. Recipients of such extortion attempts should document the communication, report it to law enforcement, and disregard the implied accusation. Individuals concerned about email-address exposure should focus on standard practices including avoiding password reuse, enabling two-factor authentication on important accounts, and remaining alert to extortion scams that exploit fabricated breach data of this kind.

ObscureIQ assessment: Exposure enables harassment, stalking, phishing, and identity linkage around dating behavior. Profile and message data also support romance scams and impersonation.

Breach Impact

n/a. The Justdate.com record has been flagged as fabricated by Have I Been Pwned and DataBreach.com, meaning the data is highly unlikely to have been sourced from an actual breach of Justdate.com. As a result, there is no documented institutional impact on Justdate.com from a real breach event. The platform itself has not been the subject of regulatory action, civil litigation, or operational consequences attributable to a verified breach incident, because no such breach has been verified. The fabricated classification is itself the primary public consequence of the record's existence.

About Justdate.com

Justdate.com was an online dating website that operated under the justdate.com domain in approximately 2016 and earlier. Limited public information is available about the platform's ownership, operational scale, geographic focus, or active user base, in part because the alleged 2016 breach data attributed to the platform was subsequently flagged as fabricated rather than authentic, and because the site itself maintained minimal security infrastructure including a lack of HTTPS support that was unusual for a service of its claimed scale. The platform appears to have been a relatively low-profile generalist dating site rather than a major mainstream dating platform.

Why They Hold Your Data

General dating platforms collect profile data, photos, messages, contact details, subscription records, and relationship preferences tied to online matchmaking.

Recent Developments

The Justdate.com record is most notable as the originating case for Have I Been Pwned's introduction of a 'fabricated' breach classification in February 2017. HIBP founder Troy Hunt published a detailed blog post on February 8, 2017 introducing the fabricated-breach designation specifically in response to the Justdate.com data, which Hunt's verification process had determined to be substantially inauthentic. The fabricated classification has since been applied to other dating-platform breach claims including a 2011 Zoosk dataset, and the framework has been widely cited in cybersecurity industry analyses of breach-data authenticity verification. The Justdate.com record itself has remained in HIBP's database under the fabricated designation specifically so that affected individuals can understand what the data is and why HIBP does not believe it represents a genuine compromise of the alleged platform.

Data Points Exposed

4 verified field types
Date of Birth High
Email Address
Full Name High
Geographic Location

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:High
Primary downstream threats:
  • Identity verification bypass using name + date of birth combination
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
Threat vectors:
  • Identity verification bypass
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • Pattern-of-life analysis & physical surveillance

Threat Actor: n/a (FABRICATED per Troy Hunt)

n/a (FABRICATED per Troy Hunt)
Unknown

Attribution and method are based on available breach intelligence. Reported attack vector: Unknown.

Recommended Actions

If you believe your information may be included:

Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Justdate.com breach?

The Justdate.com record concerns an alleged data breach that began circulating in approximately September 2016 and was claimed to contain over 24 million records from the dating website Justdate.com. The dataset was purported to contain personal information including email addresses, names, dates…

What data was exposed?

Verified fields include Date of Birth, Email Address, Full Name, Geographic Location.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
Breach Index
Have I Been Pwned
Record & field corroboration
Cross-source
9ghz
Independent catalogue listing
Cross-source
BreachDirectory
Independent catalogue listing
Cross-source
BreachForums_Official_Index
Independent catalogue listing
Cross-source
Citadel.pw
Independent catalogue listing
Cross-source
DataViper.io
Independent catalogue listing
Cross-source
Dehashed
Independent catalogue listing
Cross-source
HackNotice.com
Independent catalogue listing
Cross-source
Hacked-Emails (+4)
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation