A hack directed at the adult platform’s Premium service has led to extortion threats and new privacy fears, as a hacking gang claims it stole a huge lineage of customer activity logs. The company confirmed an incident involving a third-party analytics vendor and said that only some Premium users were impacted, adding that no passwords or payment information was exposed.
The dark web cybercrime group ShinyHunters told cybersecurity outlet BleepingComputer it was behind the breach and is trying to push the company with the alleged data dump. The group alleges that it is in possession of 201,211,943 records detailing historical search, watch and download data with respect to Premium accounts. Those reports identify the data fields as including a member’s email address, type of activity, geographic information and precise timestamps — for example: which video you watched, when you watched it and from where.
The company said that the incident originated from Mixpanel, a third-party analytics provider, and went on to say that its primary systems had not been compromised. Mixpanel has said the information was not from a recent, unrelated breach affecting other firms. Discounting the lack of financial data, this dataset’s nature — behavioral logs combined with identifiable information — makes it a particularly sensitive incident.
What Was Reportedly Stolen from Premium Users
According to samples shared with reporters, the records seem like event analytics — telemetry that platforms gather on how users move and interact. According to the report, that could include search queries, video titles and URLs, keyword tags and the time of each visit. In these contexts, “location” usually means IP-based geolocation to city or region level, not a street address; but when combined with email addresses and time-bound activity it can still serve as a de-anonymization vector.
Passwords, credit card numbers and bank details were not exposed, the company says. That’s important, but logs of activity carry risks of their own: they can lay out personal preferences; suggest relationships and routines; and allow for highly specific kinds of phishing scams. Attackers in previous episodes have leveraged such metadata to create highly realistic spearphishing emails that even describe the victim’s own browsing behavior.
How a Supply Chain Weak Point Became the Attack Surface
The vast majority of consumer apps instrument their apps with analytics SDKs, or scripts in the case of web and mobile web, to measure conversions (related to funnels), reduce churn and debug performance. Those tools generally record event names and custom properties — fields that, if not well managed, can accidentally contain sensitive information. Security teams term this a supply chain problem: even if your core systems are hardened, a partner working with your telemetry may prove the weakest point.
Mixpanel protests any association with a high-profile recent intrusion affecting other companies, and says its own systems were not compromised. Nonetheless, the episode highlights a familiar lesson from stories like British Airways’ third-party script hijack and many advertising tech breaches: data minimization and tight reins on what exits your environment are critical controls.
Why This Case Is So Charged and Sensitive for Privacy
Too much personal and professional information is available in logs containing adult content activity. Privacy advocates at institutions like the Electronic Frontier Foundation had already cautioned that behavioral datasets can out victims, disclose sexual preferences and leave targets vulnerable to harassment or blackmail. The alleged extortion emails from ShinyHunters echo tactics used in other sensitive-data cases, where the goal is not financial theft but damage to a company’s reputation.
History is instructive. The 2015 Ashley Madison breach alone included some 36 million accounts, and it was followed by waves of doxxing — including high-profile public figures exposed in divorce proceedings — extortion attempts and still-ongoing legal and regulatory fallout. The threat landscape today has changed even more: many groups have shifted towards “data extortion” vs. encryption ransomware, a phenomenon first identified in previous renditions of the Verizon Data Breach Investigations Report.
What Our Premium Members Should Do Now to Stay Safe
- Be suspicious of emails stating they have your viewing history, even if you see real video titles mentioned. Consider them extortion attempts and do not respond. Instead, report them to your email provider as phishing and, if possible, to your country’s cybercrime unit.
- Change your account password and turn on two-factor authentication if offered. While the company claims that passwords were not exposed, changing your password also lowers the risk from credential stuffing against other services. If you used the same password elsewhere, change those right away.
- Create a special email alias for sensitive subscriptions. Many password managers and email providers offer easy ways to create aliases that you can cancel later. The less your primary identity is connected to behavioral data, the less you can be exposed again in future.
- Be on the lookout for phishing attempts tailored to your location or recent activity. Attackers like to provide timestamped information to appear legitimate. Never log in through a link sent to you unsolicited; go directly to the service’s app or website.
What Comes Next for Users, Regulators, and Security
Anticipate formal disclosures if regulators believe the incident constitutes a reportable event under laws such as the GDPR or California’s privacy statutes. Regulators including the U.S. Federal Trade Commission and the UK Information Commissioner’s Office have long examined whether companies minimized sensitive data and protected third-party flows. It is often civil litigation that walks in the door with behavioral data.
This will include more technical next steps that will probably consist of natural evolution around scoping the exposure window, validating the dataset to ensure it’s accurate, and then tightening up our analytic pipeline — auditing event schemas, reducing retention on data already collected and removing or hashing personally identifiable information.
The International Association of Privacy Professionals advocates that data minimization should be a by-default consideration for platforms handling intimate content.
For users, the most effective defense today is operational: different passwords for different services, two (or more) factors of authentication wherever available, alias emails when possible and a good dose of skepticism of anything that attempts to feast on embarrassment. Even if only some Premium members were impacted, activity telemetry is potent — and in the wrong hands, personal. Vigilance at this moment can help blunt the next wave of phishing and extortion that tends to follow hacks like these.
