Bumble Data Breach: Class Action Alleges Dating App Was Negligent in Handling Vast Amounts of User Info [UPDATE]

Bumble is in the crosshairs of a proposed class action that alleges the dating app has played a little too fast and loose with users’ personal, biometric and behavioral information. 

The 44-page complaint in California alleges Bumble, which is set up so that a female user must first show interest in a man before he can contact her, harvests a seemingly endless trove of information from users without their knowledge or consent and shares the data with third parties such as Facebook and Instagram. The case argues that Bumble’s reckless handling of user data is “even more egregious” in light of the fact that the app experienced a data breach in March 2020, when an unauthorized party accessed the company’s entire account database and exposed the profiles of Bumble’s roughly 100 million users.

As the lawsuit tells it, the Bumble data breach left each user’s profile exposed for at least eight months – and possibly even longer. To this day, the case says, Bumble has not notified users that their data was left out in the open for such an extended period of time.

The suit also alleges that Bumble collects users’ biometric information—specifically, geometric data mapping the unique contours and features of a person’s face—and uses this sensitive and personally identifiable data without authorization, in particular to verify a user and censor lewd content sent through the app.

“Users who registered for or used Bumble and interacted with the app did not consent to Defendants’ collection, retention, or release of their [personally identifiable information], including their biometric information,” the case alleges. “Because of the app’s emphasis on safety and security, Bumble customers trust that their personal information will be maintained in a secure manner and kept from unauthorized disclosure.”

All of the data

The lawsuit explains that Bumble’s stated purpose is to end misogyny by empowering women. Launched in 2014, the popular app, which, like Tinder, works on the premise of a user “swiping right” on someone they might be interested in, is designed so that in order for a man to be able to contact a female user, the woman must first have shown interest in him, the suit states. This feature adds a layer of privacy and safety that other dating applications might lack, the case notes.

Unbeknownst to users, however, defendants Bumble Inc. and Buzz Holdings L.P. utilize automated software, proprietary algorithms, artificial intelligence, facial recognition and other technology to commercially profit from the huge amounts of data the app collects, the case claims. According to the lawsuit, data collected and monetized by Bumble includes usernames, email addresses, biometric data, images, geolocation, social media accounts, messaging services, telephone numbers, and other private, non-public and/or confidential data.

More to the point, the suit stresses that since Bumble is a dating app, it also collects highly personal information ranging from an individual’s name, age and education to their smoking and drinking preferences, religion, sexual orientation, political and religious beliefs, and zodiac sign. Bumble also captures and makes use of information regarding the device on which the app is being used, as the company collects details on a user’s unique device identifier, device model, operating system and MAC address, the lawsuit says.

Further, the case takes issue with Bumble’s photo verification tool, which the suit says relies on artificial intelligence to ensure that users are the same people as those being displayed in their profile pictures. To be verified, the case says, a user is asked to submit a selfie in a specific pose, and the picture is then reviewed through an automated process. This verification process – an optional but encouraged safety feature – allows the Bumble app to automatically extract information from the photo related to the geometry of a person’s face, specifically its unique points and contours, unbeknownst to users, the suit says. This data is then allegedly used to create a template for each face.  

Moreover, if a user happens to pay for Bumble’s premium services, the app also processes and retains their payment information, according to the case.

Per the lawsuit, Bumble does not adequately inform app users that it “harvests” all of this personal information and shares it with third parties. Bumble unlawfully leverages the personal information and private content to which it has access to improve its artificial intelligence capabilities and therefore its profits, revenues and market value, the case additionally charges.

The complaint goes on to allege that Bumble attempts to conceal its data collection and usage practices by way of “dark patterns,” in particular by designing its interface to trick a user into focusing their attention on one thing in order to distract from another—namely, its terms and conditions and privacy policy, which “appear to contain some disclosures concerning [Bumble’s] data collection practices.”

“Bumble’s choice of elusive font and color guarantees that most new users will not notice the presence of Bumble’s Terms and Conditions and Privacy Policy on their sign-up page and will thus never read or agree to these terms,” the case argues.

Lawsuit claims Bumble’s API is vulnerable to data breaches

As the complaint tells it, Bumble’s data collection practices are particularly concerning in light of a 2020 data breach, which allegedly stemmed from a security researcher’s bypassing of the app’s application program interface (API). An API, the case explains, essentially acts as a messenger that takes requests from Bumble users, such as a swipe on another’s profile, and transfers them to the app’s system, which then sends the necessary response back the other way. The suit says that the unauthorized researcher behind the incident was able to reverse-engineer the Bumble API to intercept all of its incoming and outgoing requests.

Per the case, Bumble’s API did not do the necessary checks, and thus allowed the researcher to repeatedly probe the app’s server for user information and bypass the paywall for certain premium features.

According to the suit, the researcher disclosed the vulnerabilities to Bumble in March 2020 and tried at least three more times to bring the issues to the defendants’ attention, but received no response from the company. All told, Bumble left users’ sensitive information exposed for more than 200 days and has yet to acknowledge the existence of the vulnerability plaguing its API despite “partially mitigating” certain issues, the lawsuit says.

Needless to say, the security issue is particularly concerning to Bumble’s user base, especially those who’ve aligned their settings so as to hide their profiles from those who do not meet their interest criteria, the case relays. The suit posits that a tech-savvy Bumble user could exploit the app’s vulnerabilities just as the security researcher did and gain access to profiles that otherwise would have been hidden.

The fact that an unauthorized person was able to access Bumble’s user database when her user was moderated and blocked is also extremely problematic. Bumble takes pride in its secure features and claims to provide users with a safe and healthy space to meet others. Bumble’s practices do not comport with the standards it promotes to its users.”

Who does the lawsuit look to cover?

The lawsuit looks to represent all U.S. residents who registered for and/or used the Bumble app during the applicable statute of limitations period.

I think I’m covered by this class action. What should I do now?

When a class action is first filed, there’s usually nothing a person has to do to join or ensure that they’re included in the lawsuit. It will be only if and when the suit settles that the people covered by the case, who are called class members, would need to act, which typically involves filing a claim form online or by mail.

If a settlement were to be reached in the Bumble data breach class action, for instance, eligible users would likely receive a notice, by mail and/or email, with instructions on how to file a claim and information on their legal rights.

It’s important to note that class action lawsuits generally take time to work their way through the legal process, usually toward a settlement, dismissal or arbitration outside of court. Bumble users who may be affected by the proposed class action detailed on this page should sign up for ClassAction.org’s free weekly newsletter to stay in the loop.