Tinder was made vulnerable to an attack that would have let hackers take over a user account with the user’s phone number. This attack exploited Facebook’s account kit system and a unique vulnerability introduced in Tinder’s implementation of account kit.
Tinder wasn’t checking user’s account tokens generated by account kit against their associated client IDs, so hackers which had gained access to the account token by manipulating Facebook’s account kit bug could then take control of an entire Tinder account.
The vulnerability was found by Appsecure, who reported to both Facebook and Tinder earlier this year.
A Facebook spokesperson delivered the following comment to the Verge “We quickly addressed this issue, and we’re grateful to the researcher who brought it to our attention.”