15M+
Grindr user records listed on a dark web forum by threat actor 'nilojeda', including names, email addresses, bcrypt password hashes, and precise GPS coordinates
$400
asking price in cryptocurrency (Litecoin, Ethereum, USDC, or Tether) for the complete 15-million-record database, making it accessible to any criminal with a small crypto balance
14+ fields
data categories exposed per user record including HIV status, last HIV test date, sexual orientation, gender, date of birth, physical attributes, and account activity metadata
May 2026
most recent sample timestamps in the dataset, confirming the records reflect users active in the 30 days before the June 2 dark web listing and are not purely historical data

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

A threat actor identified as 'nilojeda' is selling 15 million Grindr user records on a dark web forum for $400 in cryptocurrency, with sample timestamps dated as recently as May 2026 confirming the dataset includes active accounts containing HIV status, precise GPS coordinates, sexual orientation, and bcrypt password hashes that were live as of last month.

The Grindr data breach dark web listing surfaced on June 2, 2026, and was flagged within hours by Dark Web Informer and DailyDarkWeb threat intelligence monitoring accounts. The alleged database covers 15 million Grindr accounts globally. Each record contains over 14 distinct data fields: full name, username, email address, bcrypt password hash, phone hash, gender, sexual orientation, date of birth, city, country, precise latitude and longitude coordinates, HIV status, last HIV test date, physical attributes declared in the app profile, device type, user agent string, and account creation and activity timestamps. Grindr has not confirmed or denied the breach as of June 4, 2026.

The technical source of the breach has not been independently confirmed. Field coverage including bcrypt password hashes and internal account status flags is not accessible to third-party API consumers or app-layer scrapers, pointing toward a backend database exposure, a compromised analytics or infrastructure vendor with access to production data, or an insider extraction event. Security researchers assessing the sample noted the dataset structure mirrors a server-side database export rather than client-side scraping. The $400 price point, remarkably low for 15 million sensitive health records, suggests the data may have already been distributed in criminal circles prior to this public listing.

This listing is live on a dark web forum right now. At $400 per copy, the Grindr data breach dark web dataset is accessible to extortionists, foreign intelligence services, stalkers, and employers without any specialized criminal infrastructure.

What Data Is in the Grindr Dark Web Database?

The Grindr data breach dark web listing contains field-level data that extends far beyond the scope of a standard credential dump. Most breach datasets trade on names, email addresses, and hashed passwords. The alleged Grindr dataset includes medical and behavioral data that users cannot change after exposure.

Each of the 15 million records allegedly contains: username and display name, first and last name, email address, bcrypt password hash, phone number hash, gender identity, sexual orientation, date of birth, city and country, precise GPS latitude and longitude coordinates, HIV status, date of the user's last HIV test, self-declared physical attributes including height, weight, body type, and ethnicity, signup IP address, device type and model, browser user agent, operating system locale, account status (active, banned, verified), premium subscription tier, and account creation and last activity timestamps.

Bcrypt password hashes are computationally expensive to crack compared to MD5 or SHA-1, but they are not immune to targeted attacks. Standard bcrypt with cost factor 10 takes approximately 100 milliseconds per attempt on a modern GPU. A targeted attack against specific accounts using password lists from prior breach compilations, known as credential stuffing, can succeed against accounts where the password appears in previously leaked datasets. Attackers acquiring this database can run targeted offline cracking against high-value individuals rather than attempting to crack all 15 million hashes simultaneously.

The combination of HIV status and precise GPS coordinates in a single record creates a data category that most breach risk frameworks do not adequately address: a dataset that simultaneously enables physical location, medical outing, and account takeover in a single $400 purchase.

Subscribe to unlock Indicators of Compromise

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

How Did 15 Million Grindr Records Reach the Dark Web?

The mechanism behind the Grindr data breach dark web listing has not been confirmed by Grindr or independent researchers as of June 4, 2026. Security researchers examining the sample data have identified three plausible extraction paths based on the field types present in the alleged dataset.

Direct database compromise would require bypassing Grindr's network perimeter, authentication controls, and database access restrictions. The presence of internal fields including account status flags, subscription tier data, and bcrypt password hashes, none of which are exposed in Grindr's published API documentation, is consistent with direct database read access rather than API-based collection.

Third-party vendor compromise is a plausible alternative. ShinyHunters, the threat group responsible for the Charter Communications and Canvas LMS data breaches in 2026, used voice phishing to compromise employee identity credentials and then exported records from connected Salesforce instances containing customer data. A similar approach targeting a Grindr analytics, CRM, or data warehousing vendor with access to production user records could yield a dataset with the field coverage seen in this listing without requiring direct access to Grindr's core infrastructure. For context on how this attack pattern works in practice, see the ShinyHunters vishing Salesforce campaign analysis.

Insider extraction, while statistically less common than external compromise, cannot be ruled out given the dataset's completeness and the structured schema that mirrors a database export. A privileged employee with DBA or data science access could produce an output matching the described layout.

The $400 asking price, low for a dataset of this sensitivity and scale, may indicate the data has already been shared within criminal networks prior to this public listing, reducing its novelty value for resale and explaining the reduced price.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Why HIV Status and Location Exposure Creates Irreversible Risk

Most data breaches expose data that victims can change: passwords can be reset, credit cards can be canceled, email addresses can be abandoned. The Grindr data breach dark web listing includes two data categories that cannot be changed: HIV status and sexual orientation. A third field, GPS coordinates, enables physical harm that no technical remediation can undo.

HIV status exposure creates legal, employment, and personal safety consequences that persist indefinitely. HIV-positive status is protected health information under HIPAA for US residents and under GDPR Article 9 as a special category of health data for EU residents. Exposure of that status to an employer, family member, or social circle can cause discrimination, relationship breakdown, and physical danger in regions where HIV-positive status carries significant stigma or legal implications. No patch addresses an HIV status disclosure.

Sexual orientation exposure carries parallel risks. Grindr's user base is LGBTQ+. Users of the platform in countries where same-sex relationships are criminalized face legal consequences and physical danger if their orientation becomes known to governments, employers, families, or communities. A $400 dataset that identifies 15 million people by name, email, and sexual orientation is a ready-made targeting list for homophobic actors, authoritarian intelligence agencies, and blackmail operations.

GPS coordinates expose users to physical surveillance and targeted approach. Precise latitude and longitude at the time of app use places a named, identified individual at specific physical locations. For users who accessed Grindr from a home, workplace, or frequent location, this field effectively reveals their address and daily movement pattern to any buyer of the dataset.

The broader context of credential exposure in 2026, including the analysis in 16 billion credentials on the dark web, shows that datasets like this one are cross-referenced against prior breach compilations to build comprehensive target profiles within hours of acquisition.

Who Is Selling the Grindr Data and What We Know About the Threat Actor

The threat actor posting the Grindr data on a dark web forum operates under the alias 'nilojeda'. Minimal public attribution information is available for this identity. Dark web forum aliases are frequently disposable, with threat actors rotating handles after a high-profile listing to reduce attribution exposure. The $400 asking price in multiple cryptocurrencies (Litecoin, Ethereum, USDC, and Tether) is standard for forum-based data transactions but unusually low for a dataset with this level of sensitive health and location data.

Dark Web Informer, an independent threat intelligence monitoring account, posted independently verified forum screenshots of the listing on June 2, 2026, confirming the post appeared on an active underground marketplace. DailyDarkWeb corroborated the listing within hours, citing the same data fields and price point.

The low asking price creates two distinct risk scenarios. In the first, the data has already circulated within a closed criminal network and the $400 forum listing represents a final monetization pass after initial buyers extracted value. In the second, the threat actor is attempting to establish reputation on the forum by offering a high-impact dataset at an accessible price, expecting volume sales to compensate for the low per-unit price.

No attribution to any known threat group has been made by security researchers as of June 4, 2026. The combination of health data and precise location targeting in a single dataset is consistent with the collection priorities of state-level intelligence programs from nations where same-sex relationships are criminalized, but no confirmed state attribution has been established. Criminal extortion, corporate espionage, and data resale remain the most likely motivations at this price point.

The actor says the data includes personal information such as usernames, emails, passwords, dates of birth, geolocation data, HIV status, and sexual orientation. The listing advertises more than 15 million records.

DailyDarkWeb threat intelligence monitoring, June 2, 2026

How to Check If Your Grindr Data Is on the Dark Web

Verifying whether your personal data appears in the Grindr data breach dark web listing requires monitoring services because Grindr has not disclosed the breach or established a victim notification portal as of June 4, 2026. Three immediate verification steps are available.

Search Have I Been Pwned at haveibeenpwned.com using the email address registered to your Grindr account. When the Grindr breach is confirmed and indexed by HIBP, affected accounts will appear in search results. HIBP, operated by security researcher Troy Hunt and trusted by major organizations including the UK National Cyber Security Centre, is the most comprehensive public breach notification service available and is free to use. Submit every email address that may be associated with a Grindr account.

Enable dark web monitoring through your password manager or identity protection service. Services including 1Password Watchtower, Dashlane Dark Web Monitoring, and Norton LifeLock actively scan dark web forums and marketplaces for email addresses and phone numbers. The Grindr listing may surface in these tools as researchers index and add the dataset to their monitoring databases.

Contact Grindr directly through the app or at grindr.com to request information about whether your account was involved in a data security incident. Companies subject to GDPR are required to notify affected users within 72 hours of confirming a breach of personal data. Grindr has not issued any statement as of June 4, 2026. If you are an EU resident, you have the right to file a complaint with your national data protection authority if Grindr does not respond within a reasonable period.

Delete your Grindr account if you are no longer an active user. Account deletion removes your data from Grindr's active user database, limiting future exposure from this breach or subsequent incidents. Use the in-app account deletion option under Settings, not just app uninstall, to trigger a formal deletion request under applicable privacy regulations.

5 Immediate Steps to Protect Yourself After the Grindr Breach

These steps address the specific exposure risks created by the Grindr data breach dark web listing. Complete them in order, starting with the actions that reduce the highest-probability attack vectors.

Subscribe to unlock Remediation & Mitigation steps

Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.

Why Grindr Data Breach Dark Web Exposure Matters for Organizations

Security teams typically classify Grindr as a consumer application outside their threat model. The June 2, 2026 dark web listing changes that assessment for organizations in three sectors: defense and government contracting, financial services, and any employer subject to blackmail-based insider threat risk.

The data in this listing enables targeted social engineering and blackmail operations against named, identified individuals. A threat actor with the full Grindr dataset can identify employees at specific organizations by cross-referencing exposed email addresses against corporate domain patterns. An employee whose HIV status, sexual orientation, home location, and password hash are all in a single $400 database is a structurally compromised target for coercion before any attack has begun.

Defense and government contractors face the highest risk. Security clearance adjudication in the United States and allied nations includes personal conduct and health factors that can affect clearance eligibility. Employees at cleared organizations who appear in this dataset face potential scrutiny if the data is acquired by a foreign intelligence service. Multiple nations that criminalize same-sex relationships operate active intelligence programs targeting Western defense contractors and government personnel.

Financial services organizations subject to SOX, PCI-DSS, or equivalent controls should evaluate whether an employee's presence in this breach creates a reportable insider threat risk under their data governance frameworks.

Practical response for security teams: cross-reference your corporate email domain against breach notification services when the Grindr dataset is indexed. Employees who used corporate email addresses to register personal Grindr accounts are identifiable from the breach data alone. Any employee identified in this manner should receive a confidential notification and cybersecurity counseling, without disciplinary implications, so they can take immediate protective action.

The bottom line

The Grindr data breach dark web listing of June 2, 2026, places 15 million users' HIV status, GPS coordinates, sexual orientation, and password hashes at risk for $400, a price accessible to extortionists, foreign intelligence services, and stalkers today. Three key takeaways: bcrypt hashes resist mass cracking but remain vulnerable to targeted attacks using prior breach credentials; HIV status and location create irreversible harm categories that no technical remediation addresses; and organizations with employees in this dataset face concrete insider threat and social engineering exposure. Search for your Grindr-registered email at haveibeenpwned.com, enable 2FA on that email account, and change any password shared with your Grindr account before the end of business today.

This analysis is generic — the platform version scores threats like this against your own stack.

Frequently asked questions

What data was exposed in the Grindr data breach?

The alleged Grindr dark web breach exposes over 14 data categories per user record: full name, username, email address, bcrypt password hash, phone hash, gender, sexual orientation, date of birth, city, country, precise GPS latitude and longitude, HIV status, last HIV test date, physical attributes, signup IP, device type, user agent, account status, subscription tier, and activity timestamps. Sample data contains timestamps as recent as May 2026, indicating active accounts are included.

Is my Grindr account data on the dark web?

As of June 4, 2026, Grindr has not confirmed the breach or established a victim notification portal. To check your exposure, search the email address registered to your Grindr account at haveibeenpwned.com. Enable dark web monitoring through your password manager or an identity protection service. Grindr account holders who are EU residents may also contact Grindr directly and request disclosure under GDPR Article 15 right of access.

Can the bcrypt password hashes from the Grindr breach be cracked?

Bcrypt is significantly more resistant to cracking than MD5 or SHA-1, but not immune. Standard bcrypt at cost factor 10 takes approximately 100 milliseconds per attempt on a modern GPU, making mass cracking of all 15 million hashes impractical. However, targeted attacks against specific accounts using password lists from prior breaches can succeed if the target reused a password that appears in another dataset. Changing your Grindr password immediately is the correct response.

What should I do if my HIV status was exposed in a data breach?

HIV status is protected health information under HIPAA in the United States and a special category of sensitive data under GDPR Article 9 in the European Union. If you believe your HIV status was exposed, document the breach disclosure, consult legal counsel familiar with privacy law in your jurisdiction, and file a complaint with your national data protection authority if the breached company does not respond. In the United States, HIPAA complaints can be filed with the HHS Office for Civil Rights. Connecting with LGBTQ+ legal advocacy organizations in your region can also provide guidance specific to your location.

Who is the threat actor selling Grindr data on the dark web?

The seller operates under the alias 'nilojeda' on an underground dark web forum. No attribution to a known threat group has been established as of June 4, 2026. The listing was independently flagged by Dark Web Informer and DailyDarkWeb threat intelligence monitoring accounts on June 2, 2026. The $400 asking price in Litecoin, Ethereum, USDC, and Tether is unusually low for a dataset of this sensitivity, suggesting the data may have been previously distributed in closed criminal circles before this public listing.

How do I check if my email address is in a dark web credential dump?

Search your email address at haveibeenpwned.com, operated by security researcher Troy Hunt. The service indexes billions of records from confirmed breach datasets and returns results immediately for any address entered. Enable the notification feature to receive alerts when your email appears in newly indexed breach data. Commercial alternatives include 1Password Watchtower, Dashlane Dark Web Monitoring, and Google One Dark Web Report for broader monitoring of your identity data beyond email alone.

What is the difference between a data scrape and a database breach?

A data scrape collects information visible through public-facing APIs or app interfaces, typically limited to data users choose to display publicly such as profile photos and usernames. A database breach involves unauthorized access to backend systems, yielding internal fields like password hashes, private contact information, health data, and account flags that are never exposed publicly. The Grindr dataset allegedly includes bcrypt password hashes and internal account status flags, which are not accessible through any public-facing API, indicating a backend database source rather than a scraping operation.

Has Grindr been fined for privacy violations before?

Yes. The Norwegian Data Protection Authority (Datatilsynet) fined Grindr LLC approximately USD 6 million (NOK 65 million) in 2022 for sharing users' HIV status, GPS coordinates, and sexual orientation with third-party advertisers without valid consent, in violation of GDPR. Grindr also settled a class action in 2021 related to sharing HIV status data with advertising analytics firms Apptimize and Localytics. The current dark web listing represents the third major privacy incident publicly associated with the platform.

Sources & references

  1. Cybernews, Grindr users' sensitive data at risk after alleged leak surfaces
  2. Dark Web Informer on X, Grindr allegedly targeted in breach exposing massive 15M+ users
  3. DigitalShield, 15 million Grindr users' data put up for sale on dark web
  4. Huntress, Grindr Data Breach: What Happened, Impact, and Lessons
  5. Norwegian Data Protection Authority, Grindr LLC fined NOK 65 million (approx. USD 6 million) for GDPR violations

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.