A group of hackers known as Scattered Lapsus$ Hunters, which is made up of some members affiliated with ShinyHunters, claims to be extorting the porn site Pornhub after gaining access to data that shows what some premium users watched on the platform. The hackers say the records originated from a breach of analytics company Mixpanel, a supply chain attack that Pornhub has confirmed involved “analytics events” for some premium accounts.
What Hackers Say They Took from Mixpanel Data
Sample data reviewed by independent reporters shows the dataset includes registered email addresses, in some cases a user’s name and country of residence, while in other records email addresses are scrambled into anonymous identifiers. The data also contains detailed viewing activity reflective of streaming services, including content searched for and watched; video titles, descriptions, and duration were logged as part of the scraping. Analytics payloads may include device and network details (such as screen resolution, whether you are on Wi-Fi or cellular, your carrier name), which can be highly identifying even in the absence of a formal name. Bleeping Computer said that it saw what appeared to be evidence of this in the past.
- What Hackers Say They Took from Mixpanel Data
- A Supply Chain Breach With Widespread Reach
- Why Porn Browsing Data Is So Very Sensitive
- Inside the Extortion Playbook Used by Hackers
- What Pornhub and Other Vendors Should Do Now
- Advice for Users Who May Be Affected by the Breach
- The Bigger Lesson on Third-Party Analytics
Though payment data has not been implicated in early reporting, the pairing of email addresses with detailed viewing history can be damning. URLs can contain search queries or category information which may expose personal preferences or sensitive attributes of a user. Even rudimentary metadata, like repeated access times, can reveal what are supposed to be private activities.
A Supply Chain Breach With Widespread Reach
Popular web and mobile analytics vendor Mixpanel had already reported that an unauthorized actor could successfully access the customer’s analytics data. Other impacted companies have subsequently appeared, such as OpenAI, CoinTracker and SwissBorg. That’s about 8,000 customers on Mixpanel (comprising potentially millions streaming behavioral events onto the platform).
The breadth of exposure depends on how an individual client configured event collection. Some teams strip down payloads; others pipe video titles, search terms, referrers and user IDs right into dashboards. For scale, SoundCloud noted that some 20% of its users were affected through an “ancillary service” dashboard; and the company also said data stolen included email addresses and information that had been set to be visible privately on public profiles. The mature content context would make the Pornhub case much more sensitive even if the numbers were smaller.
Why Porn Browsing Data Is So Very Sensitive
Information that discloses sexual life or orientation, under European data protection rules, constitutes “special category” personal data, requiring increased safeguards. Watching histories have a way of doing that. Even if companies refrain from keeping names on file, studies conducted in re-identification demonstrate that a small amount of data — email domains, IP-derived locations, timestamps and URLs — is all it takes to identify an individual. The infamous AOL search log and subsequent academic work showed how fast even “anonymous” behavioral data can be re-identified.
This is a case in which the harms are real: blackmail, doxxing and reputational ruin, especially for those living in closed societies or visible professions. If attackers connect email addresses with details about interesting viewing activity, members of the LGBTQ+ community, public figures and people in secret professions like medicine or law may be at extra risk.
Inside the Extortion Playbook Used by Hackers
Data theft crews are more often employing ‘double extortion’ — steal the data and threaten publication unless paid. Some have escalated to “triple extortion,” reaching out directly to customers, partners or journalists in a bid for maximum pressure. The Lapsus$ Hunters and affiliated actors have a track record of high-profile breaches, such as data stolen from Salesforce and Gainsight customers that bled through into hundreds of downstream organizations. Once they have verified email lists, in other words, attackers can also conduct targeted phishing, impersonation and bullying campaigns.
What Pornhub and Other Vendors Should Do Now
Immediate steps involve rescinding affected Mixpanel service tokens, shuffling all relevant credentials and tightening access to analytics dashboards with strict role-based permissions and hardware-backed two-factor authentication. Engineering teams should cleanse event schemas of nonessential fields—don’t store full URLs and titles, the engineers said—and hash or tokenize user IDs while reducing the retention of IP addresses. Telemetry must be viewed as regulated personal data, not benign exhaust.
For the longer term, companies need vendor risk programs that continuously monitor third-party exposure, contractual limits on data collection and retention, and privacy by design for analytics.
Privacy preservation mechanisms like differential privacy, on-device aggregation and server-side proxies can allow a product team to gain insights and develop features without accumulating sensitive behavioral trails in off-site systems.
Advice for Users Who May Be Affected by the Breach
- Watch out for phishing that name-drops your email or includes viewing activity to scare you.
- Don’t click on links included in cold email; go directly to the service.
- Update any reused passwords and turn on two-factor authentication for your email, as well as financial accounts.
- Use a unique email alias for any subscription via a password manager, and check whether the platform has any data deletion or privacy settings available.
The Bigger Lesson on Third-Party Analytics
This is a symptom of a larger problem: analytics pipelines may hold the most intimate information a company has, yet they are also frequently outsourced and far too permissive. And when those pipelines leak, the consequences are personal, not abstract. For platforms that deal with adult content it’s even higher. Collect less, protect more, and assume one day every field in an event payload will be read aloud on a public stage.
