Security & Fraud Glitch Resurrects Old Profiles

Many former users are worried about the site's data security after their old accounts were accidentally reactivated.

A spokesperson for Match Group, which also owns dating apps OkCupid, PlentyofFish and Tinder, confirmed to The Verge that a “limited number” of old accounts had been mistakenly reactivated and that any account affected received a password reset.

While the site’s current privacy statement says that the company can “retain certain information associated with your account” even after it is closed, the spokesperson revealed that Match will soon launch a new privacy policy to comply with the EU’s General Data Protection Regulation (GDPR).

Under the new policy, all those old accounts will be deleted, although there is no word on how old an account will have to be in order to be expunged.

While there is no federal data destruction law in the United States, 32 states — including Texas, where Match Group is headquartered — have legislation that require “entities to destroy, dispose, or otherwise make personal information unreadable or undecipherable.”

Still, it has been common practice in the past for dating websites to use and retain data for research, marketing, or, as’s current privacy policy states, “record-keeping integrity.” In 2009, eHarmony’s then-VP of technology Joseph Essas admitted that they site has “an archiving strategy, but we don’t delete you out of our database. We’ll remember who you are.”

And Herb Vest, the founder and CEO of the now-defunct dating website, said at the time that “the data just sits there.”

This isn't the first time Match Group has faced complaints about its data policy. A 2010 class action lawsuit by former subscribers alleged that deceived users by keeping inactive and fraudulent accounts viewable. The suit was dismissed in 2012 after a US District Judge found that the site's user agreement didn’t require it to remove these profiles.

Then in 2015, California resident Zeke Graf filed a class action lawsuit against Match claiming the company was knowingly violating a state civil code which requires every dating service contract to include a statement allowing the user to cancel their subscription. That lawsuit was later voluntarily dismissed by Graf.

But many are in agreement that there is no reason for a site to indefinitely hold onto a deleted account's information.

“There probably are good reasons to keep deleted profiles for some period of time — for example, to prevent or detect repeat users or fake users, etc.,” Albert Gidari, consulting director of privacy at the Stanford Center for Internet and Society, wrote in an email. “But that doesn’t mean forever.”



Banks, corporates and even regulators now recognize the imperative to modernize — not just digitize —the infrastructures and workflows that move money and data between businesses domestically and cross-border.

Together with Visa, PYMNTS invites you to a month-long series of livestreamed programs on these issues as they reshape B2B payments. Masters of modernization share insights and answer questions during a mix of intimate fireside chats and vibrant virtual roundtables.