ShinyHunters Breach Pornhub Premium Data And Demand Ransom: What Happened, Why It Matters

What do we know about the Pornhub Premium data theft?

Adult site Pornhub has confirmed that some Premium users’ data was exposed through a security incident at analytics provider Mixpanel, which the company tied to an SMS phishing (smishing) attack in early November 2025. Pornhub said only a subset of Premium users were affected, stressed that its own systems were not breached, and stated that passwords, payment information, and identity documents were not exposed. (IndianExpress.com)

ShinyHunters claims to have taken roughly 94 GB of data covering about 201 million records. According to BleepingComputer, the stolen analytics reportedly include customer details, email addresses, locations, video URLs and titles, search keywords, and viewing times tied to Premium accounts. That kind of information is highly sensitive because it can fuel extortion, harassment, or public shaming even though financial details appear to have stayed protected. (PCWorld) (SecurityAffairs.com)

Who are ShinyHunters and what are they demanding?

ShinyHunters is a well-known cybercrime group that gained international attention around 2020 and is tied to a long list of major victims. Unusually, the group focuses on stealing data for extortion and resale rather than deploying traditional ransomware, and it sells stolen records to other criminals when companies refuse to pay. (IndianExpress.com) (Wikipedia – ShinyHunters)

In this case, ShinyHunters told Reuters it is demanding a ransom in Bitcoin to keep from publishing the stolen data and to delete it, threatening to release Premium users’ search and watch history if its demands are not met — pressure aimed squarely at Pornhub and its parent company, Aylo. (Reuters.com)

How did Mixpanel and Pornhub describe the breach?

Pornhub said the incident stems from a third-party analytics provider and “was not a breach of Pornhub Premium’s systems,” emphasizing that only “select Premium users” were impacted and that the affected data came from analytics events rather than its core authentication or billing databases. The company added that the compromised account was secured and further unauthorized access blocked. (IndianExpress.com)

Mixpanel disclosed on November 26, 2025, that it had detected a smishing campaign on November 8 and activated incident response, acknowledging that a “limited set of analytics events” for some customers was affected. But Mixpanel has firmly denied being the source of the leaked Pornhub data, saying its investigation found no evidence the records were exfiltrated in the November incident and noting that Pornhub stopped using Mixpanel around 2021 — meaning only historical, pre-2021 data would remain in its systems. Security researchers say the most likely explanations are a phishing-driven compromise of an employee account or a deliberate insider leak. (Mixpanel.com)

What other high-profile targets has ShinyHunters hit?

ShinyHunters has been linked to attacks on telecom giant AT&T, the 2024 Ticketmaster breach affecting hundreds of millions of customers, and a wave of 2025 Salesforce-related intrusions, along with victims such as Microsoft, Louis Vuitton, and financial-services provider Allianz Life. (IndianExpress.com)

In 2025, investigators reported the group stole details of potentially millions of customers from Kering’s luxury brands — including Gucci, Balenciaga, and Alexander McQueen — then tried to extort the company in Bitcoin. By 2026 the group’s reach had grown further, with a sprawling Salesforce-data extortion campaign and a high-profile breach of the Canvas learning platform operated by Instructure, underscoring how aggressively it has scaled. (BBC.com)

How does ShinyHunters typically break into companies?

Unlike attacks that rely mainly on software vulnerabilities, ShinyHunters is known for voice- and SMS-based social engineering — vishing and smishing — to trick employees at targeted firms or their suppliers. The group impersonates internal staff or trusted partners and persuades victims to grant access, approve multi-factor authentication prompts, or hand over credentials that open the door to internal tools and data stores. (IndianExpress.com)

The Mixpanel incident fits that pattern, with attackers reportedly using SMS phishing to reach an analytics environment full of detailed user-activity metrics. The same campaign rippled across other major Mixpanel customers: OpenAI confirmed some of its API users were affected, and SoundCloud disclosed that roughly 28 million accounts — about a fifth of its user base — had data exposed. (PCWorld)

Why is the Pornhub case especially sensitive?

The Pornhub incident stands out because the stolen data is tied to intimate viewing habits, which many users would regard as more sensitive than typical profile information or even some financial data. Public exposure of such records — especially if linked to identifiable email addresses or location metadata — could be used for blackmail, outing, or social and professional harm. (InsuranceJournal.com)

Privacy advocates argue the case shows how even routine analytics logging can create long-lived, high-risk datasets when tied to adult content. It also raises hard questions for regulators about how third-party vendors handle sensitive categories of data and what safeguards should be mandatory. Affected users are advised to stay alert for targeted phishing or extortion emails, avoid engaging with ransom messages, and treat any contact referencing their viewing history with suspicion. (LeMonde.fr)