A threat actor operating under the alias Euphoric_Reply_5727 has posted what they claim is a database of more than 32 million Bumble user records for sale on an underground cybercrime forum, priced at $999. The listing appeared on May 30, 2026, according to threat intelligence researchers monitoring dark web channels.
The seller describes the material as a clean JSON dump containing email addresses, bcrypt-hashed authentication credentials, phone numbers, full biographical profile data, location information, lifestyle fields, political and religious affiliations, and linked Instagram and Spotify accounts. That is an extensive data set if authentic. But authenticating dark web breach claims is notoriously difficult, and no independent verification has emerged.
The Actor Has Appeared Before
Euphoric_Reply_5727 is not an unknown figure. The same alias surfaced in late May in connection with an alleged OnlyFans database listing of 340 million records, which also remains unverified. That pattern raises questions about whether this actor is trafficking in legitimate stolen data or repackaging scraped or synthetic information under high-value brand names.
Dark web listings are frequently misleading. Some contain recycled data from older breaches, scraped public profiles, or outright fabrications designed to attract buyers willing to pay before verification. Context matters.
Bumble's Recent Security History
This claim arrives against a difficult backdrop for Bumble. In January 2026, the company confirmed that a contractor's account was compromised in a phishing attack by the ShinyHunters cybercrime group. That breach resulted in the exfiltration of thousands of internal corporate documents from Bumble's Google Drive and Slack systems.
Bumble stated at the time that the incident did not affect its member database, user accounts, private messages, or dating profiles. The company emphasized that sensitive user data is stored on a separate encrypted server. A spokesperson told Bloomberg that access was rapidly terminated and the incident contained.
A class action lawsuit filed in the Western District of Texas in February 2026 challenges that characterization. The complaint alleges compromised information included names, dates of birth, Social Security numbers, phone numbers, chat history, and dating history. Bumble has not publicly commented on the specifics of the litigation.
The New Claim Stands Alone
There is no indication that this new listing from Euphoric_Reply_5727 is connected to the January ShinyHunters breach. The data fields described in the forum post differ from what ShinyHunters claimed to have accessed, which focused on internal documents rather than user profiles. The two incidents may be unrelated. Or the new claim may be fabricated entirely.
Bumble had approximately 35 million active users as of 2025. A 32 million record dump would represent nearly the entire user base. That scale warrants skepticism until samples are analyzed by credible security researchers.
Glitchwire has reached out to Bumble for comment. The company had not responded at the time of publication.
Users concerned about exposure should monitor for unusual account activity, enable two-factor authentication if available, and avoid reusing passwords across services. Dating apps collect particularly sensitive profile information that can be leveraged for identity theft or social engineering attacks.
