A massive data breach at Pornhub has exposed the activity data of over 200 million Premium subscribers, igniting fears of widespread extortion as hackers threaten direct contact with victims. The December 2025 disclosure traces back to a cyberattack on analytics firm Mixpanel, underscoring vulnerabilities in third-party data handling.
What Data Was Exposed
The leak comprises 94GB of user details, including email addresses, search queries, video URLs, timestamps, location data, and records of watched or downloaded content. Reuters verified the data’s legitimacy with three former subscribers. Notably, passwords, payment details, and government IDs remained secure.
Attack Timeline
The intrusion started November 8, 2025, via an SMS phishing attack on Mixpanel staff, granting hackers system access. Mixpanel detected it the next day and alerted partners, issuing a public notice on November 27. Pornhub followed with its advisory on December 12, as reports of extortion surfaced by December 15-16.
ShinyHunters Emerges
The group behind the breach, ShinyHunters, formed in 2020 and has hit 91 organizations, stealing data from AT&T (73 million records), Microsoft (500GB code), Ticketmaster (560 million records), and Tokopedia (91 million accounts). They favor AI-enhanced phishing, insider hires, and supply chain exploits, now demanding Bitcoin from Pornhub and warning of user-targeted threats.
Extortion and Response Risks
Hackers plan to email victims with precise details like video titles, leveraging embarrassment over private histories to demand payments, potentially sharing them with employers or family. Experts note one in six mobile users faced such attempts in 2024. Advice is uniform: ignore demands, block senders, save evidence, update passwords, enable multi-factor authentication, and report to authorities. Pornhub stresses it never solicits credentials via email.
Vendor and Regulatory Fallout
Pornhub ended its Mixpanel contract in 2021, but the firm held data for four years, last accessed legitimately in 2023. This exposed multiple clients, including OpenAI, which reported limited metadata leaks like names and locations. Third-party breaches rose from 29% in 2023 to 35.5% in 2024. The delay in Pornhub’s notice—34 days post-breach—may invite GDPR scrutiny, with fines up to 4% of global revenue possible. Adult entertainment sites attract attackers due to sensitive behavioral data.
This incident echoes the 2015 Ashley Madison hack, which spilled 60GB of user data, causing public exposure and harm. Broader trends show 1,732 breaches in early 2025, up 5% yearly, with U.S. costs averaging $10.22 million amid rising ransomware. Detection improved to 181 days via AI tools, but supply chains complicate responses.
Victims face ongoing phishing risks, while firms must enforce data deletion proofs, audits, and training against smishing and AI voice scams. The breach highlights the need for ecosystem-wide vigilance, as single vendor flaws ripple across industries, demanding precise data inventories and least-privilege access to curb future exposures.
Sources:
“Hacking group ‘ShinyHunters’ threatens to expose premium users of Pornhub sex website.” Reuters, 2025.
“PornHub extorted after hackers steal Premium member activity data.” BleepingComputer, 2025.
“Important Message From Pornhub.” Pornhub Help Center, December 2025.
“Pornhub tells users to expect sextortion emails after data exposure.” Malwarebytes, 2025.
“Cost of a Data Breach Report 2025.” IBM Security, 2025.
“2025 Data Breach Investigations Report.” Verizon, 2025.