What happened
According to public breach records, the Dubsmash data breach on December 1, 2018 is reported to have exposed the personal information of 161,749,950 accounts.
In December 2018, the video messaging service Dubsmash suffered a data breach. The incident exposed 162 million unique email addresses alongside usernames and PBKDF2 password hashes. In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly.
In December 2018, the video-messaging app Dubsmash suffered a breach exposing roughly 162 million unique email addresses along with usernames, names, geographic locations, phone numbers, spoken languages, and PBKDF2-hashed passwords. The breach became public in February 2019 when the data surfaced for sale on the dark-web marketplace Dream Market, listed by a seller known as "Gnosticplayers" as part of a larger batch of stolen records from roughly 16 breached websites. The compromised passwords were stored as PBKDF2 hashes rather than plaintext, which slows but does not prevent cracking, particularly for weak or reused passwords.
What data was exposed
The following types of personal data were compromised:
- Email addresses
- Geographic locations
- Names
- Passwords
- Phone numbers
- Spoken languages
- Usernames
Breach details
| Detail | Value |
|---|---|
| Breach name | Dubsmash |
| Date | December 1, 2018 |
| Accounts affected | 161,749,950 |
| Domain | dubsmash.com |
This summary is compiled from public breach-notification data and known leak databases. Figures reflect what those sources report and may be revised as more is learned. If something here looks wrong or you think your information is involved, contact our support team.
We report breaches as a factual record to help people check their exposure. Inclusion here is not an allegation of wrongdoing or negligence by Dubsmash; it reflects a publicly reported security incident.
What to do now
Based on the data exposed in this breach, here are the steps you should take:
- Change your Dubsmash password immediately, and change it anywhere else you reused the same password — the breached passwords were hashed and can be cracked offline, especially weak ones.
- Enable two-factor authentication on your email and on any account that shared the Dubsmash password.
- Treat unexpected emails, calls, and texts as potential phishing — exposed email addresses and phone numbers are commonly used for targeted scams.
- Use a password manager so each account has a unique password and one leaked credential can't unlock the others.
Check your exposure
Data breaches are one of the ways your personal information ends up on data broker sites. Run a free scan to see which sites are exposing your personal data — and take action to remove it.
Sources
- Have I Been Pwned: Dubsmash Data Breach
- Collection of 127 Million Stolen Accounts Up for Sale on the Dark Web
Find out what data brokers know about you
Run a free scan to see which sites are exposing your personal information — name, phone, address, email, and more.
Start your free scan →