Hackers claim to have a huge cache of Pornhub Premium users’ search and viewing history in a new attack on the company linked to an analytics provider used by millions of porn sites, amid growing fears that the hackers could use the personal information found on some users to exploit them further.
What hackers claim they stole from Pornhub Premium
The group, which calls itself ShinyHunters, is trying to extort the company and claims to have 94GB worth of data with more than 200m records. Samples shared with a cybersecurity news site are said to contain emails, rough location information of users, the titles of videos watched and their little snippets, the search terms used by account holders to find desired content in particular genres, as well as times videos were viewed or downloaded and other fields that are generally captured in connection with performance monitoring activities.
Pornhub said that only some of its Premium users were possibly affected, and emphasized that its own systems had not been penetrated.
Instead, the company blamed its longtime analytics vendor, Mixpanel, saying it had ceased usage in 2021 but that some legacy analytics events might have been left behind in the vendor’s system. An internal review is underway to assess the scope and effect of the breach.
Mixpanel link and denial over source of leaked data
It emerged as a number of Mixpanel customers were hit by extortion emails in the aftermath of a security issue that took place in November. Mixpanel has pushed back on the description that the Pornhub-related data resulted from that event, noting instead that the last access to this dataset was by a legitimate employee at the parent company of Pornhub in 2023. If bad actors now possess it, Mixpanel contends, that should not be blamed on the November breach.
That nuance is important: the source of exposure might have implications for regulatory obligations and liability. It also demonstrates how long-tail data held by vendors can continue to remain vulnerable once a working relationship has ceased, particularly where it comes to governance and deletion policies.
Who ShinyHunters are and why the group’s role matters
The group, ShinyHunters, is known for stealing data and extorting companies that have been victims of its breaches in recent years. Their playbook usually consists of stealing huge data sets, releasing small samples to prove access and then trying to bully victims into paying. Here, the group says it will release the data unless its demands are met. If even just part of the 200 million purported records are legitimate, the sensitive nature of the material makes those stakes especially large.
Third-party risk is a regular feature of contemporary breaches. The IBM Cost of a Data Breach Report has consistently reported multi-year highs in breach costs, and detection, response, and legal exposure are increased when vendors are at risk. Verizon’s yearly breach investigations likewise regularly call out stolen credentials and abuse of otherwise legitimate access as key enablers — patterns that line up with what’s described here.
Why adult viewing data creates special risks
Unlike most consumer breaches, which might reveal passwords or credit cards of regular people, viewing habits can have reputational, political or professional implications — particularly if the history reveals someone with a high profile and particular kinds of fetishes. And because online adult entertainment has been a frequent target of malware attacks over the years, there may be people who are engaged in suspicious or outright illegal behavior who were freaking out on Tuesday. Viewers “may not want their friends to know they’re watching” something in a predatory genre.
The 2015 Ashley Madison breach is a cautionary tale of how personal behavioral data can be weaponized — even when financial damage isn’t the primary attack vector.
The potential scope reaches far beyond impacted users. And if emails or device identifiers are associated with other data sets — advertising IDs, social handles or breached credentials — attackers can construct detailed profiles and raise the risk of incredibly personalized scams.
What affected users can do now to reduce their risk
Those users who suspect they have been exposed should expect targeted phishing.
- Update the password on a service and any accounts that share it.
- Enable two-factor authentication wherever available.
- Use unique alias emails for sensitive subscriptions and a reputable password manager to eradicate reuse.
- Monitor inboxes for extortion attempts.
- Don’t negotiate or pay the ransom; report threats to local authorities and, if available in your country of residence, national cybercrime reporting centers.
- In areas with local laws, people can ask for information about the kinds of data a company holds and seek deletion.
- Groups such as the Identity Theft Resource Center offer advice on how to address post-breach risks.
The bigger picture for third-party analytics
The episode highlights a broader predicament: analytics tools, software development kits and pixels can quietly gather deeply personal behavioral data long after contracts with vendors have expired. Regulators have signaled growing scrutiny of such flows, especially when they touch health, finance or sexual content. For GDPR, for instance, holding onto data when you don’t need it (as well as implementations of poorly secured vendor code) can mean fines of up to 4% of your global turnover.
Pornhub’s parent company has also declined to address any extortion claims, saying only that it was investigating the matter. Mixpanel has said the purported data dates back to before it was breached in November.
Until forensics resolve the chain of custody, one lesson is already apparent: sensitive analytics should be minimized, aggressively anonymized and quickly purged — and companies need to uphold vendors’ claims that they do it.
Now that threat actors can easily sell personal behavioral data, the difference between a reputation-damaging crisis and a containable incident too often boils down to basic, unglamorous hygiene — data minimization, encryption, access controls and actually turning off the tap of third-party vendors.
