Hackers Breach Pornhub, Exposing Premium Users’ Viewing Habits & Search History

PornHub, one of the world’s largest adult entertainment platforms, is facing an extortion attempt after hackers linked to the notorious ShinyHunters cybercrime group claimed to have obtained sensitive activity data belonging to its Premium subscribers. The data, which allegedly includes detailed viewing and search histories, is said to originate from a breach involving third-party analytics provider Mixpanel.

The incident has once again raised concerns about the long-term risks associated with third-party data analytics services, particularly when historical user information is retained years after business relationships end.

PornHub disclosed late last week that it had been affected by a cybersecurity incident tied to Mixpanel, a widely used product analytics platform. Mixpanel confirmed in November that it suffered a breach on November 8, 2025, after attackers successfully carried out an SMS phishing—or “smishing”—campaign that allowed them to compromise internal systems.

In a public security notice, PornHub emphasized that the breach did not involve its own infrastructure.

“A recent cybersecurity incident involving Mixpanel, a third-party data analytics provider, has impacted some PornHub Premium users,” the company stated. “This situation affects only select Premium users and did not involve a breach of PornHub’s systems. Passwords, payment details, and financial information were not exposed.”

PornHub further clarified that it has not worked with Mixpanel since 2021, suggesting the compromised information consists of historical analytics data that is at least four years old.

Despite the age of the data, the potential exposure is significant. According to information shared with cybersecurity journalists, ShinyHunters claims to have obtained approximately 94 gigabytes of data, encompassing more than 200 million individual analytics records tied to PornHub Premium users.

In extortion emails sent to affected organizations, the hackers identified themselves explicitly as ShinyHunters and threatened to publish stolen data unless a ransom was paid. PornHub was among the companies targeted.

The group later confirmed its involvement to reporters, stating that the dataset includes 201,211,943 records reflecting Premium users’ historical search queries, video views, downloads, and channel interactions.

Samples of the data reviewed by independent researchers indicate that the analytics records contain deeply personal information that many users would consider extremely sensitive. The exposed data reportedly includes:

• Email addresses tied to Premium accounts
• Timestamps of viewing and download activity
• Video URLs and titles
• Keywords associated with viewed content
• Geographic location data
• Search terms used on the platform

While no financial or authentication data appears to be included, privacy experts warn that even historical consumption data from an adult platform can pose severe reputational and personal risks if made public.

This kind of behavioral data can be devastating if exposed and can be used for blackmail, doxxing, or targeted harassment for years after the breach.

After reports emerged linking the extortion attempt to the November Mixpanel breach, the analytics firm pushed back on claims that the data originated from that incident.

In a statement provided after publication of initial reports, Mixpanel said it found no evidence that the PornHub data was exfiltrated during the November breach.

“We can find no indication that this data was stolen from Mixpanel during our November 2025 security incident,” the company said. “The data was last accessed by a legitimate employee account at PornHub’s parent company in 2023.”

Mixpanel added that if the data is currently in the hands of unauthorized parties, it does not believe that outcome is the result of a Mixpanel security failure—leaving open questions about how the information ultimately fell into criminal hands.

The incident marks the first public confirmation that ShinyHunters was behind the Mixpanel-related attacks, adding to the group’s growing list of high-impact breaches in 2025.

Earlier this year, the group was linked to a wave of intrusions involving Salesforce integrations, where attackers compromised third-party vendors to gain access to corporate Salesforce environments. Those campaigns affected dozens—if not hundreds—of organizations across multiple sectors.

Security researchers have also tied ShinyHunters to the exploitation of a zero-day vulnerability in Oracle E-Business Suite (CVE-2025-61884). This is a vulnerability in the Oracle Configurator product of Oracle E-Business Suite (component: Runtime UI). Supported versions that are affected are 12.2.3-12.2.14. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Configurator. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Configurator accessible data.

ShinyHunters are also tied to breaches involving Drift and GainSight, both of which resulted in further exposure of Salesforce-hosted customer data.

With Mixpanel now added to the list, ShinyHunters has been responsible for some of the most damaging and wide-reaching data breaches of the year.

Beyond data theft and extortion, ShinyHunters appears to be expanding its operations. The group is reportedly developing a ransomware-as-a-service platform known as ShinySpid3r, which is expected to enable affiliated threat actors—including those associated with the Scattered Spider collective—to conduct full-scale ransomware attacks.

This shift mirrors a broader trend among extortion-focused groups, which increasingly combine data theft with encryption-based attacks to maximize leverage over victims.

PornHub has declined to comment further beyond its initial security notice, and it remains unclear whether the company—or its parent organization—has engaged with the attackers or involved law enforcement.

Meanwhile, the incident highlights persistent challenges facing companies that rely on third-party analytics platforms: even years after a vendor relationship ends, retained data can resurface in damaging ways.

For affected users, the breach serves as another reminder that digital footprints—especially those involving highly personal behavior—can persist long after accounts are closed or services are discontinued.

As investigations continue, regulators and privacy advocates are likely to scrutinize how long such data should be retained and who ultimately bears responsibility when it is exposed.

ShinyHunters is a black-hat cybercriminal and extortion group believed to have emerged in 2020. The group has been linked to a large number of high-profile data breaches worldwide. Its typical modus operandi involves breaching corporate systems, stealing sensitive data, and extorting the affected organization. If ransom demands are not met, the stolen data is frequently sold or leaked on underground forums and the dark web.

The group’s name is thought to reference “shiny Pokémon,” a rare variant in the Pokémon video game franchise. Players who actively seek these rare variants are commonly known as “shiny hunters,” a term the group appears to have adopted as a pseudonym.

Since 2020, ShinyHunters has been associated with breaches affecting hundreds of millions of users across a wide range of industries, including technology, retail, education, finance, and media.

Early incidents in 2020 included attacks on Mathway (approximately 25 million users), Tokopedia (91 million users), Wishbone, Microsoft’s private GitHub repositories, and Wattpad (270 million users). Later that year, additional breaches were reported at Pluto TV, Animal Jam, and Mashable.

In 2021, the group was linked to data leaks involving Pixlr, Nitro PDF, Bonobos, AT&T Wireless, and Aditya Birla Fashion and Retail. These incidents exposed personal data such as email addresses, phone numbers, physical addresses, order histories, and, in some cases, hashed passwords and partial payment information.

From 2024 onward, ShinyHunters was implicated in a renewed wave of large-scale intrusions. These included multiple AT&T Wireless breaches, Santander, Ticketmaster, PowerSchool, the U.K. Legal Aid Agency, and luxury conglomerate LVMH and its subsidiaries. In several cases, ransom payments were reportedly made, though re-extortion attempts and data leaks continued afterward.

In 2024, ShinyHunters claimed responsibility for attacks targeting customers of the Snowflake cloud platform, including Ticketmaster, Santander, Neiman Marcus, Twilio, and Truist Bank. These incidents were part of a broader campaign exploiting compromised credentials and cloud misconfigurations.

Beginning in 2025, ShinyHunters was tied to extensive Salesforce-focused intrusion campaigns tracked by Google Threat Intelligence as UNC6040 and UNC6395. These attacks relied heavily on social engineering, particularly voice phishing (vishing), in which attackers impersonated IT support staff. Victims were tricked into installing modified Salesforce Data Loader tools or authorizing malicious OAuth applications, allowing attackers to exfiltrate sensitive CRM data.

These campaigns affected hundreds of organizations globally, including Google, Cisco, Adidas, Qantas, Allianz Life, Workday, Chanel, TransUnion, and multiple LVMH brands. Google described the UNC6395 campaign as the largest SaaS compromise on record, with attackers claiming to have stolen approximately 1.5 billion records from more than 700 organizations.

In addition to confirmed incidents, ShinyHunters has been credited with or claimed responsibility for dozens of other breaches affecting platforms such as JusPay, Zoosk, Drizly, Unacademy, BigBasket, Twilio, Neiman Marcus, and many others. Estimated exposure across all incidents reaches into the billions of user records.

The group has been investigated by multiple law-enforcement agencies, including the FBI, Indonesian National Police, Indian authorities, and European cybercrime units. Several affected companies have faced class-action lawsuits following ShinyHunters-linked breaches, while others reported incidents directly to law enforcement and national cybersecurity agencies.

In May 2022, French programmer Sébastien Raoult was arrested in Morocco, extradited to the United States, and later sentenced to three years in prison for conspiracy to commit wire fraud and aggravated identity theft related to ShinyHunters activities.

In 2025, U.S. prosecutors charged Matthew D. Lane, a Massachusetts student, in connection with the PowerSchool breach, alleging he extorted the company for $2.85 million in bitcoin after stealing student and teacher data.

In June 2025, French authorities announced the arrest of four individuals linked to ShinyHunters-associated personas as part of a coordinated international law-enforcement operation. Investigators indicated that those arrested were likely affiliates rather than core leadership, and the group is believed to remain active.