Dubsmash 2018 Data Breach

Dubsmash Video Messaging App Breach (2018): 161 Million User Records Including Passwords & Phone Numbers Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

MisconfigurationSocialEmail AddressFull NameGeographic LocationPasswordPhone NumberSpoken LanguageUsername
Low SeverityWebsite / service breach

Dubsmash Video Messaging App Breach (2018): 161 Million User Records Including Passwords & Phone Numbers Exposed

Video messaging app.

Verified by ObscureIQ Intelligence
34/100Breach Risk Index
10Data Value
25Market Recency
512dSince Breach

Breach Intelligence Summary

Entity: Dubsmash · Actor: Unknown · Sources: 8 references
Attack: Misconfiguration
Profile: Platform · Short-form video creation and sharing · Mobile social platform · Global
Timeline: Breach (2018-12-01) · Indexed (Dec 01, 2024) · Year (2018)
Exposure: 161.4M records · 7 fields: Email Address, Full Name, Geographic Location, Password, Phone Number, Spoken Language, Username
Status: Confirmed

Executive Summary

Dubsmash, a video messaging and lip-sync app, suffered a data breach in December 2018 that exposed approximately 161 million user records. The breach stemmed from a misconfiguration, allowing direct access to user data. The stolen data was later listed for sale on a dark web marketplace in 2019, bundled alongside databases from several other breached platforms, before circulating more broadly online. The exposed information included email addresses, full names, usernames, phone numbers, geographic locations, spoken languages, and hashed passwords. The passwords were protected using PBKDF2 hashing, which offers some resistance to cracking, but is not unbreakable. The combination of profile details and login credentials creates real risk for affected users, including account takeover, impersonation, and targeted social engineering attacks. Because Dubsmash was a media-linked platform where users built public personas, exposed identities carry additional reputational and targeting risk. Dubsmash notified affected users and required password resets following the breach. No regulatory action or legal settlement specific to this incident has been publicly documented. Reddit acquired Dubsmash in 2020 and shut the platform down in 2022, meaning affected users no longer have an active account to secure. However, anyone who reused their Dubsmash password on other services remains at risk and should change those passwords immediately.

ObscureIQ assessment: Exposure enables account takeover, impersonation, and social engineering. Media-linked identities increase reputational and targeting risk.

Breach Impact

In December 2018 Dubsmash suffered a breach exposing approximately 161 million records — one of the larger social platform breach datasets of that era — including email addresses, full names, usernames, phone numbers, geographic locations, spoken languages, and hashed passwords. The data was offered for sale on dark web markets in 2019 as part of a large multi-platform bundle alongside other breached platform databases. Dubsmash notified affected users and prompted password resets. No settlement or regulatory action specific to this breach has been prominently documented. Reddit, which acquired Dubsmash in December 2020, subsequently shut the platform down in 2022.

About Dubsmash

Dubsmash was a video messaging and lip-sync app launched in 2014 that allowed users to record short videos of themselves miming to audio clips. The platform was popular in its early years as a precursor to TikTok-style short video content. Dubsmash was acquired by Reddit in 2020 following the breach, and Reddit subsequently shut down the standalone Dubsmash platform in 2022, integrating some of its video technology into Reddit's own features.

Why They Hold Your Data

Social video platforms collect user accounts, emails, behavioral data, and user-generated media content.

Recent Developments

Dubsmash no longer operates as a standalone platform. Reddit shut it down in February 2022, redirecting users to Reddit's native video features. The breach predates the acquisition and the shutdown.

Data Points Exposed

7 verified field types
Email Address
Full Name High
Geographic Location
Password Critical
Phone Number
Spoken Language
Username

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:Critical
Primary downstream threats:
  • Credential stuffing against reused passwords across other platforms
  • SIM swap attacks where phone numbers are present
  • Targeted phishing campaigns using exposed email addresses
  • Doxxing risk from physical address exposure
Threat vectors:
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • Pattern-of-life analysis & physical surveillance
  • Credential stuffing & account takeover
  • SIM swapping, vishing & SMS phishing
  • Targeted phishing localization
  • Cross-platform tracking & credential stuffing

Recommended Actions

If you believe your information may be included:

Change Reused Passwords
Update this account and anywhere you reused the password; use a manager.
Password manager guide
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Dubsmash breach?

Dubsmash, a video messaging and lip-sync app, suffered a data breach in December 2018 that exposed approximately 161 million user records. The breach stemmed from a misconfiguration, allowing direct access to user data. The stolen data was later listed for sale on a dark web marketplace in 2019,…

What data was exposed?

Verified fields include Email Address, Full Name, Geographic Location, Password, Phone Number, Spoken Language, Username.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
Breach Index
Have I Been Pwned
Record & field corroboration
Cross-source
9ghz
Independent catalogue listing
Cross-source
BreachForums_Official_Index
Independent catalogue listing
Cross-source
Dehashed
Independent catalogue listing
Cross-source
Keeper
Independent catalogue listing
Cross-source
leakfind
Independent catalogue listing
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation