What do online file sharers want with 70,000 Tinder images?

A researcher has discovered thousands of Tinder users’ images publicly available for free online.

Aaron DeVera, a cybersecurity researcher who works for security company White Ops and also for the NYC Cyber Sexual Assault Taskforce, uncovered a collection of over 70,000 photographs harvested from the dating app Tinder, on several undisclosed websites. Contrary to some press reports, the images are available for free rather than for sale, DeVera said, adding that they found them via a P2P torrent site.

The number of photos doesn’t necessarily represent the number of people affected, as Tinder users may have more than one picture. The data also contained around 16,000 unique Tinder user IDs.

DeVera also took issue with online reports saying that Tinder was hacked, arguing that the service was probably scraped using an automated script:

In my own testing, I observed that I could retrieve my own profile pictures outside the context of the app. The perpetrator of the dump likely did something similar on a larger, automated scale.

What would someone want with these images? Training facial recognition for some nefarious scheme? Possibly. People have taken faces from the site before to build facial recognition data sets. In 2017, Google subsidiary Kaggle scraped 40,000 images from Tinder using the company’s API. The researcher involved uploaded his script to GitHub, although it was subsequently hit by a DMCA takedown notice. He also released the image set under the most liberal Creative Commons license, releasing it into the public domain.

However, DeVera has other ideas:

This dump is actually very valuable for fraudsters seeking to operate a persona account on any online platform.

Hackers could create fake online accounts using the images and lure unsuspecting victims into scams.