Hackers Steal PornHub Premium User Data in Extortion Attack

A significant data breach at the analytics firm Mixpanel has led to the exposure of sensitive user information from PornHub Premium subscribers, with the notorious ShinyHunters extortion gang now demanding payment to prevent the public release of the stolen data. The incident highlights the ongoing risks associated with third-party vendor security, even when a company’s own internal systems remain uncompromised. PornHub has confirmed that the breach did not involve its own servers, and user passwords, payment details, and financial information remain secure.

The platform disclosed the situation last week, explaining that a cybersecurity incident at its former analytics provider, Mixpanel, impacted a select group of Premium users. According to the company’s security notice, the compromised data is historical, as PornHub ceased working with Mixpanel in 2021. This indicates the stolen records pertain to user analytics from 2021 or earlier. Mixpanel initially suffered a breach on November 8th, 2025, following a successful SMS phishing attack against its systems.

However, Mixpanel has since contested the origin of the data used in the extortion attempt. The company stated it found no evidence that this specific dataset was stolen during its November security incident. Instead, Mixpanel indicated the data was last accessed legitimately by an account belonging to PornHub’s parent company in 2023, suggesting an alternative point of compromise.

Despite this, the ShinyHunters group has taken credit for the attack, sending extortion emails to Mixpanel’s customers. In a communication to PornHub, the threat actors claimed to possess 94 gigabytes of data containing over 200 million records. They later confirmed this includes 201,211,943 records of historical search, watch, and download activity specifically from Premium members.

A sample of the data reviewed by journalists reveals the deeply personal nature of the exposed information. The analytics events contain a user’s email address, activity type, geographic location, specific video URLs and titles, associated keywords, and precise timestamps. Activity types include watching or downloading a video, viewing a channel, and crucially, search history queries. This constitutes a severe privacy violation for the affected individuals.

The ShinyHunters group has been linked to several major cyber incidents throughout the year. Their tactics often involve compromising companies that provide integration services for platforms like Salesforce to gain access to corporate data. They are also associated with exploiting a critical zero-day vulnerability in Oracle’s E-Business Suite and were behind widespread attacks targeting Salesforce and Drift platforms earlier in 2025. A more recent breach at the customer success platform GainSight further expanded their haul of stolen Salesforce data.

With their involvement in the Mixpanel breach now publicly confirmed, ShinyHunters is responsible for some of the most impactful data security events of the year, affecting hundreds of organizations globally. Adding to their threat profile, the group is reportedly developing a new ransomware-as-a-service platform named ShinySpid3r. This platform is intended to facilitate ransomware attacks for themselves and affiliates connected to the Scattered Spider threat actor collective, signaling an escalation in their criminal operations.

(Source: Bleeping Computer)