ShinyHunters Breach Pornhub Premium Data And Demand Ransom: What Happened, Why It Matters
What do we know about the Pornhub Premium data theft?
Adult site Pornhub has confirmed that some Premium users’ data was exposed after a security incident at analytics provider Mixpanel, triggered by an SMS phishing (smishing) attack in early November 2025. Pornhub said only a subset of Premium users were affected and stressed that its own systems were not breached, and that passwords, payment information, and financial data were not exposed. (IndianExpress.com)
According to security reports, the stolen data reportedly includes search and viewing histories linked to contact details for Pornhub Premium accounts, with the hackers claiming access to about 94 GB of data and more than 200 million records. This type of information is highly sensitive because it can be used for extortion, harassment, or public shaming even if financial details remain protected. (PCWorld) (SecurityAffairs.com)
Who are ShinyHunters and what are they demanding?
ShinyHunters is a well-known cybercrime group that gained international attention around 2020 and claims to have carried out more than 90 successful attacks on major companies. The group is motivated primarily by money through extortion and data sales, but its operations have also caused serious reputation damage for victims in sectors ranging from telecoms to fashion and technology. (IndianExpress.com) (Wikipedia – ShinyHunters)
In this case, ShinyHunters told Reuters it is demanding a ransom payment in Bitcoin from Pornhub to prevent publication of the stolen data and to delete it. The group has threatened to release Premium users’ search and watch history if its demands are not met, escalating pressure on Pornhub and its parent company, Aylo. (Reuters.com)
How did Mixpanel and Pornhub describe the breach?
Pornhub stated that the incident stems from a third-party analytics provider and “was not a breach of Pornhub Premium’s systems,” emphasizing that only “select Premium users” are impacted and that passwords and payment details remain secure. The company also clarified that the affected data came from analytics events tied to Pornhub’s Premium service, not from its core authentication or billing databases. (IndianExpress.com)
Mixpanel disclosed on November 26, 2025, that it had detected a smishing campaign on November 8 and activated its incident response steps, acknowledging that a “limited set of analytics events” for some customers was affected. However, in a statement shared with Reuters, Mixpanel said it could find no indication that Pornhub’s stolen data came from its November 2025 incident and noted that Pornhub’s data in its systems had last been accessed by a legitimate Aylo employee in 2023. (Mixpanel.com)
What other high-profile targets has ShinyHunters hit?
ShinyHunters has been linked to attacks on telecom giant AT&T, where it claimed access to data on tens of millions of customers that was later offered for sale online. Security researchers and media reports also tie the group to breaches involving Salesforce customers and financial services provider Allianz Life, with millions of customer and partner records exposed. (IndianExpress.com)
In 2025, investigators and journalists reported that ShinyHunters stole private details of potentially millions of customers from luxury fashion brands owned by Kering, including Gucci, Balenciaga and Alexander McQueen, and then tried to extort the company in Bitcoin. Cybersecurity outlets have also associated the group with earlier incidents affecting brands like Pandora, Adidas, Chanel, Tiffany & Co., and tech firms such as Cisco, as part of a broader campaign that uses social engineering to infiltrate corporate networks. (BBC.com)
How does ShinyHunters typically break into companies?
Unlike many attacks that rely mainly on software vulnerabilities, ShinyHunters is known for using voice-based and SMS-based social engineering, often called vishing and smishing, to trick employees at targeted firms or their suppliers. In these campaigns, the group impersonates internal staff or trusted partners and persuades victims to grant access, approve multi-factor authentication prompts, or share sensitive credentials that can be used to infiltrate internal tools and data stores. (IndianExpress.com)
The Mixpanel incident described in Pornhub’s statement fits this pattern, with attackers reportedly using SMS phishing to compromise an analytics environment that handled detailed user activity metrics. Cybersecurity reports also connect the same smishing campaign to attacks against other high-profile services, including OpenAI and CoinTracker, showing how one tactic can ripple across multiple major platforms. (PCWorld)
Why is the Pornhub case especially sensitive?
The Pornhub incident stands out because the stolen data is tied to intimate viewing habits, which many users would regard as more sensitive than typical profile information or even some financial data. Public exposure of such records, especially if linked to identifiable email addresses or IP-related metadata, could be used for blackmail, outing, or social and professional harm. (InsuranceJournal.com)
Privacy advocates argue that the case highlights how even seemingly routine analytics logging can create long-lived, high-risk datasets when tied to adult content. The situation also raises questions for regulators and data-protection authorities about how third-party vendors handle sensitive categories of data and what safeguards should be mandatory for such relationships. (LeMonde.fr)
