PornHub Faces Extortion After ShinyHunters Steals 200 Million Premium Member Records in Mixpanel Breach
The adult entertainment platform PornHub is being extorted by the notorious ShinyHunters hacking group following the theft of over 200 million Premium member activity records. The breach, which both parties attribute to a recent compromise at analytics provider Mixpanel, has exposed highly sensitive user data including detailed viewing histories, search patterns, and personal information—creating what security experts warn could be one of the most damaging privacy breaches in recent history.
The Breach: What Happened and When
On November 8, 2025, Mixpanel—a widely-used analytics platform that helps companies track user behavior across their applications—fell victim to a sophisticated SMS phishing (smishing) attack. The breach came to light when Mixpanel publicly disclosed the incident on November 27, after initially detecting unauthorized access to its systems.
PornHub issued its own security notice on December 12, confirming that "select Premium users" were affected by the Mixpanel compromise. The company emphasized that this was not a direct breach of PornHub's own systems and that passwords, payment details, and financial information remained secure.
However, the scope of the stolen data tells a different story about the severity of the breach.
Breached Company
The Stolen Data: 94GB of Intimate User Activity
ShinyHunters, the hacking group behind the extortion campaign, claims to have exfiltrated 94GB of data containing 201,211,943 records of Premium member activity. According to samples reviewed by security researchers at BleepingComputer, the stolen dataset includes:
- Email addresses tied to Premium accounts
- Complete viewing history including video URLs and titles
- Search queries and keywords
- Download activity records
- Geographic location data
- Activity timestamps showing when each action occurred
- Activity types (watched, downloaded, viewed channel)
The data essentially provides a complete portrait of users' private viewing habits—information that creates severe risks for blackmail, extortion, and reputational harm.
"If the allegations that 201,211,943 records of Pornhub's premium users were compromised – including detailed historical search, watch, and download activity – are true, this data breach may dethrone the notorious data breach of Adult Friend Finder (AFF) in 2016," said Dr. Ilia Kolochenko, CEO at ImmuniWeb. "The AFF breach happened before triple extortion became mainstream, but caused numerous suicides, layoffs, divorces and political scandals, let alone protracted damage to mental and psychological health of the victims."
A Dispute Over the Breach's Origin
While both PornHub and ShinyHunters initially blamed the November 2025 Mixpanel breach, Mixpanel itself has pushed back hard against this narrative, creating confusion about how the data was actually stolen.
PornHub's Position:
- States the data came from Mixpanel's November breach
- Claims it stopped using Mixpanel services in 2021, making all exposed data at least four years old
- Maintains the breach was limited to "select Premium users"
ShinyHunters' Claims:
- Confirms responsibility for the extortion campaign
- Claims to have records as recent as 2023, contradicting PornHub's assertion that data only extends to 2021
- Has sent direct extortion demands to PornHub threatening to publish the data unless a Bitcoin ransom is paid
Mixpanel's Rebuttal: In a statement to BleepingComputer, Mixpanel flatly denied the data originated from its November breach:
"We can find no indication that this data was stolen from Mixpanel during our November 2025 security Incident or otherwise. The data was last accessed by a legitimate employee account at Pornhub's parent company in 2023. If this data is in the hands of an unauthorized party, we do not believe that is the result of a security incident at Mixpanel."
This statement suggests an alternative scenario: the breach may have involved compromised employee credentials at PornHub's parent company Aylo, rather than a direct Mixpanel system breach. If accurate, this would indicate the "breach" wasn't a sophisticated hack but rather unauthorized access using legitimate credentials—potentially held for two years before being exploited.
The Mixpanel Breach: A Wider Impact
The Mixpanel compromise has affected multiple high-profile companies beyond PornHub, revealing the cascading risks of third-party analytics providers.
The November 8 Attack
Mixpanel CEO Jen Taylor confirmed that the company detected a smishing campaign on November 8, 2025. The attackers used SMS phishing to trick employees into divulging credentials or bypassing multi-factor authentication, gaining access to customer analytics data.
In response, Mixpanel:
- Secured affected accounts immediately
- Revoked all active sessions and sign-ins
- Rotated compromised credentials
- Blocked threat actor IP addresses
- Reset passwords for all employees
- Implemented new security controls
Other Victims
OpenAI: On November 27, OpenAI disclosed that "limited analytics data related to some users of the API" was exposed, though the company stressed that no chat history, API requests, passwords, or payment details were compromised. Exposed information included:
- Names on API accounts
- Email addresses
- Approximate location data (city, state, country)
- Operating system and browser information
- Organization or User IDs
CoinTracker: The cryptocurrency portfolio tracker was also impacted, with exposed data including device metadata and limited transaction counts.
SoundCloud: The music streaming platform confirmed it was breached, with the incident linked to disrupted VPN access and user complaints about outages.
Mixpanel stated that all impacted customers were contacted directly, noting "If you have not heard from us, you were not impacted."
ShinyHunters: 2025's Most Prolific Data Theft Operation
The PornHub extortion is just the latest in a remarkable string of high-profile breaches orchestrated by ShinyHunters in 2025, establishing them as one of the year's most successful and prolific cybercrime operations. As detailed in our comprehensive analysis of ShinyHunters' evolution, the group has transformed from Pokémon-inspired hackers in 2020 into sophisticated operators conducting coordinated supply chain attacks against enterprise cloud platforms.
Breached Company
The Salesforce Campaign
ShinyHunters gained notoriety throughout 2025 for systematically compromising Salesforce customers through third-party integrations:
Salesloft Drift Attack (August 2025):
- Compromised Salesloft's GitHub account
- Stole OAuth tokens from Drift's AWS instance
- Gained access to approximately 760 companies' Salesforce instances
- Victims included Google, Cloudflare, Qantas, Cisco, and TransUnion
- As covered in our article on Google's massive Salesforce breach, this attack potentially exposed business contact information for 2.5 billion Gmail users
Gainsight Breach (November 2025):
- Used credentials stolen from the earlier Salesloft attack
- Compromised Gainsight's customer success platform
- Gained access to an additional 285 Salesforce instances
- Google Threat Intelligence confirmed over 200 potentially affected organizations
- Targeted companies including Atlassian, CrowdStrike, DocuSign, GitLab, LinkedIn, Thomson Reuters, and Verizon
- Full details available in our Salesforce-Gainsight breach analysis
Other Major Breaches
Oracle E-Business Suite Zero-Day: ShinyHunters was linked to exploitation of CVE-2025-61884, a critical vulnerability allowing unauthenticated remote code execution in Oracle's E-Business Suite.
Red Hat GitLab Breach: In September 2025, the group stole more than 28,000 Git code repositories from Red Hat's GitLab server, including over 5,000 Customer Engagement Reports containing client secrets, access tokens, and infrastructure details.
Major Airline Breaches: ShinyHunters also targeted major airlines including Qantas Airways, with 5 million customer records leaked, and Air France-KLM in coordinated attacks exploiting Salesforce integrations.
Discord Breach: ShinyHunters claimed responsibility for a September 20 breach at a Discord third-party customer service provider, exposing usernames, emails, IP addresses, payment card digits, and government ID images.
ShinyHunters' 2025 campaign also included attacks on major insurance providers like Allianz Life, luxury brands, and airlines as documented in our comprehensive review of August 2025's unprecedented attack wave.
The Scattered LAPSUS$ Hunters Collective
ShinyHunters operates as part of a larger cybercrime collective known as Scattered LAPSUS$ Hunters—an amalgamation of three notorious hacking groups: Scattered Spider, LAPSUS$, and ShinyHunters. Google tracks this collective under multiple UNC designations (UNC6040, UNC6240) due to its fluid membership and operations. Our in-depth investigation of the Crimson Collective alliance explores how these groups merged to create what security experts now call the most dangerous English-speaking cybercrime syndicate in operation.
The group claims to have stolen data from nearly 1,500 organizations in 2025 alone and has threatened to release data from over 700 major companies, including Toyota, FedEx, Disney, UPS, Adidas, and Home Depot. Despite the FBI's seizure of BreachForums in October 2025—which disrupted ShinyHunters' primary marketplace—the group has maintained operational tempo through decentralized channels.
ShinySpid3r Ransomware-as-a-Service
Most concerning, ShinyHunters is developing a new ransomware-as-a-service platform called ShinySpid3r, which will serve as an infrastructure for conducting ransomware attacks alongside their existing data theft and extortion operations. This evolution from pure data theft to full ransomware capabilities represents a significant escalation in threat.
The group has also begun recruiting malicious insiders at major enterprises, reportedly paying $25,000 to a terminated CrowdStrike employee for network access credentials. In a disturbing escalation documented in our article on cybercriminals targeting security professionals, ShinyHunters has even demanded the termination of specific cybersecurity researchers, marking a dangerous new phase where human capital becomes a weapon in cyber warfare.
The Human Cost and Privacy Implications
The PornHub breach represents more than just stolen data—it poses devastating potential consequences for affected users. Unlike typical data breaches involving email addresses or payment information, this breach exposes deeply personal information about private sexual behavior.
Potential Harms:
- Blackmail and extortion targeting individual users
- Relationship destruction through exposure of viewing habits
- Career damage particularly for public figures, politicians, and professionals
- Mental health impacts including anxiety, depression, and in extreme cases, suicidal ideation
- Social stigma and reputational harm
Dr. Kolochenko warned that the consequences could exceed the 2016 Adult Friend Finder breach: "If the reported Pornhub data breach is as big and as recent as claimed by ShinyHunters, the consequences may be much worse than the AFF breach, causing irreparable harm to victims, including politicians and celebrities."
He also noted a disturbing new extortion tactic: "We have already witnessed cases when cybercrime groups threaten their victims to 'poison major LLMs' with the victim's compromised data if the victim does not pay."
Third-Party Risk: The Hidden Dangers of Analytics Platforms
The breach underscores critical weaknesses in how companies manage third-party vendor relationships and data retention:
The Data Retention Problem
PornHub stopped using Mixpanel in 2021, yet the analytics provider retained four years' worth of historical user activity data. This creates an ongoing liability that persists long after business relationships end.
Key Lessons:
- Companies must enforce aggressive data deletion policies with vendors
- Historical analytics data should be minimized and anonymized
- Vendor relationships require ongoing audits even after contracts end
- Data retention periods need clear limits and enforcement
The OAuth Token Vulnerability
ShinyHunters' success throughout 2025 has largely relied on exploiting OAuth tokens—the digital keys that allow third-party applications to access larger platforms like Salesforce. These tokens provide broad access with limited visibility, making them ideal targets. This pattern of OAuth exploitation is part of a broader trend we've tracked in our analysis of late 2025's major cyberattacks, where 62% of breaches involved third-party vendors.
Brian Soby, CTO at AppOmni, explained: "What stands out most in this case is the sheer prevalence of Gainsight integrations. Gainsight is widely deployed and tightly connected to Salesforce, Slack, Google, Microsoft, and numerous other SaaS environments. Because of that footprint, customers now have to quickly identify every location where Gainsight was integrated, revoke those OAuth tokens, and investigate whether any of those connections were abused."
Supply Chain Security
The cascade of breaches—from Salesloft to Gainsight to Mixpanel—demonstrates how a single compromised integration point can provide access to hundreds or thousands of downstream organizations. As we documented in our analysis of the Palo Alto Networks and Zscaler supply chain attack, even leading cybersecurity vendors have fallen victim to these OAuth token theft campaigns.
Breached Company
What Users Should Do
For Affected PornHub Users:
- Monitor accounts for suspicious emails or phishing attempts
- Enable multi-factor authentication on all accounts using the compromised email
- Watch for extortion attempts claiming to have your viewing history
- Check Have I Been Pwned regularly for updates on the breach
- Do not respond to unsolicited emails claiming to be from PornHub
- Consider changing email addresses if practical
- Be alert for social engineering attacks leveraging the stolen data
Important Note: No password resets are required, as login credentials were not compromised in the breach.
For Organizations: Security Recommendations
This breach offers critical lessons for any organization using third-party analytics or integration platforms:
Immediate Actions
- Audit all third-party integrations and OAuth token grants
- Revoke tokens for unused or suspicious applications
- Rotate credentials for critical vendor connections
- Review data retention policies with all vendors
- Implement IP whitelisting for vendor API access where possible
Long-Term Strategy
- Minimize sensitive data sent to analytics platforms
- Enforce aggressive data deletion timelines with vendors
- Conduct regular vendor security assessments
- Implement zero-trust architectures that limit token scope
- Monitor for anomalous API activity from third-party integrations
- Establish clear data ownership and deletion requirements in contracts
Employee Security
- Enhanced phishing training focusing on smishing attacks
- Hardware security keys for high-value accounts
- Mandatory MFA using authenticator apps rather than SMS
- Regular access reviews to identify dormant credentials
Regulatory and Legal Implications
The breach occurs amid increased regulatory scrutiny of both adult content platforms and data privacy practices:
GDPR/Privacy Law Implications:
- Multi-year retention of sensitive personal data without clear justification
- Potential violations of data minimization principles
- Questions about whether users consented to long-term analytics retention
- Likely regulatory investigations in EU and other jurisdictions
Liability Questions:
- If Mixpanel's claims are accurate, was PornHub's parent company negligent in credential management?
- What are the contractual obligations for data deletion after vendor relationships end?
- Can victims sue for damages given the highly sensitive nature of exposed data?
Adult Content Industry Scrutiny: This breach comes as PornHub already faces increased regulatory pressure over age verification requirements and privacy standards in the United States and other countries.
Conclusion: A Wake-Up Call for Third-Party Risk Management
The PornHub-Mixpanel breach serves as a stark reminder that cybersecurity is only as strong as the weakest link in the supply chain. Even companies with robust internal security can find themselves compromised through vendor relationships—especially when those vendors retain sensitive data years after business relationships end.
For users, this breach highlights the permanent privacy risks of online activity. Once data is collected by a platform and its various analytics providers, it can persist indefinitely, creating ongoing vulnerabilities even years later.
As ShinyHunters continues its unprecedented 2025 campaign—having compromised nearly 1,500 organizations through systematic exploitation of third-party integrations—organizations must fundamentally rethink their approach to vendor risk, OAuth token management, and data retention.
The question is no longer whether third-party breaches will occur, but whether organizations have the visibility, policies, and response capabilities to detect and contain them before user data becomes the currency of extortion campaigns.
Key Takeaways:
- Over 200 million PornHub Premium records stolen containing detailed viewing histories
- ShinyHunters claims responsibility, demanding Bitcoin ransom
- Dispute exists over breach source: November Mixpanel breach vs. 2023 credential compromise
- Part of ShinyHunters' massive 2025 campaign affecting ~1,500 organizations
- Highlights critical risks of third-party analytics platforms and OAuth tokens
- Users face severe blackmail, extortion, and reputational risks
- Organizations must enforce aggressive vendor data deletion and minimize analytics data collection
Status: As of December 16, 2025, the investigation remains ongoing, with no public confirmation of whether PornHub or any affected users have paid the extortion demand. ShinyHunters continues to threaten publication of the stolen data.
This article will be updated as more information becomes available about the breach investigation and any regulatory actions.
