201M Pornhub Records Leaked, Hackers Want Bitcoin

What Happened

A hacking group known as ShinyHunters says it stole data tied to Pornhub Premium users and is threatening to publish it unless the company pays a ransom in Bitcoin. Reuters reported it was able to verify a small portion of the leaked sample data with former users in Canada and the United States, while Pornhub said the exposure stemmed from a cybersecurity incident at a third-party analytics provider, Mixpanel.

The claimed trove is large. Multiple outlets reported ShinyHunters advertised roughly 94GB of data containing more than 200 million records, often described as “analytics events” rather than full account credentials. Pornhub’s notice said it did not involve a direct compromise of Pornhub Premium systems and that passwords and payment information were not exposed.

Mixpanel publicly acknowledged a separate security incident in November 2025, but the company disputed that the Pornhub-related dataset came from that event. That disagreement has become a central tension in the story because it affects how investigators and regulators may assign responsibility and assess risk for affected users.

Timeline: From First Access To Latest Update

November 8, 2025 (Mixpanel detection and incident response begins)
Mixpanel said it detected a “smishing” campaign on November 8, 2025, and began incident response processes. The company later described this as a limited incident affecting a subset of customers.

November 9, 2025 (Mixpanel acknowledges unauthorized access and data export, per OpenAI)
OpenAI stated Mixpanel became aware on November 9, 2025 that an attacker gained unauthorized access to part of Mixpanel’s systems and exported a dataset containing limited customer-identifiable information and analytics information. OpenAI said Mixpanel later shared the affected dataset with OpenAI.

November 25 to November 27, 2025 (Mixpanel and customers publish public disclosures)
OpenAI published details of the Mixpanel incident and said its own systems were not breached, while Mixpanel posted a public account of its response and timeline.

December 12, 2025 (Pornhub issues a user notice)
Pornhub published a notice warning that a cybersecurity incident involving Mixpanel had affected “select Premium users,” and advised users to be cautious about suspicious messages. Pornhub said the issue involved only a limited set of analytics events and that passwords, payment details, and financial information were not exposed.

December 16, 2025 (Reuters reports ShinyHunters claim and partial verification)
Reuters reported ShinyHunters claimed the theft of Pornhub Premium user data and demanded Bitcoin. Reuters said it verified some details in the leaked sample with a small number of former users.

December 17, 2025 (Broader reporting expands scope and context)
Additional reporting described the data as including viewing habits and search history, and emphasized the potential for sextortion and targeted extortion attempts due to the nature of the activity data.

Latest confirmed update (as of December 17, 2025)
Pornhub continues to attribute the incident to third-party analytics exposure rather than a direct breach of its systems, while Mixpanel continues to dispute that the Pornhub dataset originated from its November incident. Reporting indicates investigations remain ongoing and public confirmation of a full data dump remains limited.

What Data Or Systems Were Affected

Pornhub said the exposure relates to “analytics events” tied to certain Premium users. Public reporting describes the data as potentially including email addresses, user locations, and viewing or search activity, including timestamps and video activity.

Pornhub’s statements stressed that the issue did not involve Pornhub Premium systems directly and that passwords, payment details, and other financial information were not exposed. That distinction matters because it suggests the breach concerns behavioral and metadata rather than credentials that can be used to log in or commit direct payment fraud.

Even without passwords or card data, cybersecurity experts have warned that activity records tied to adult content sites can create high-risk exposure for victims due to the potential for coercion, doxxing, or reputation damage. Malwarebytes reported Pornhub warned users about possible sextortion emails and reminded them it would never ask for passwords or payment information through email.

Who Was Responsible (Confirmed Vs Alleged)

Confirmed:
Mixpanel confirmed it suffered a security incident in November 2025 related to a smishing campaign and said it triggered incident response processes. OpenAI also confirmed Mixpanel notified it about unauthorized access and data export affecting Mixpanel systems, not OpenAI systems.

Alleged:
ShinyHunters claims it stole Pornhub Premium-related user data and is attempting to extort Pornhub. Reuters reported ShinyHunters demanded Bitcoin and said it intended to publish or delete the data depending on payment.

Disputed attribution:
Pornhub attributes its Premium user exposure to the Mixpanel incident, while Mixpanel stated it could find “no indication” the Pornhub dataset was stolen from Mixpanel during the November incident or through other means. This dispute remains unresolved in public reporting.

How The Attack Worked (If Known)

The public technical details focus on Mixpanel’s incident rather than Pornhub’s internal systems. Mixpanel described the incident as smishing-related, which typically involves fraudulent text messages designed to trick employees or contractors into giving attackers credentials or access tokens. OpenAI also framed the Mixpanel event as unauthorized access to part of Mixpanel’s systems, followed by data export.

In the Pornhub case, Pornhub said the exposure involved analytics data, which suggests tracking data that logs user actions, page events, and related metadata. Reporting has highlighted that analytics systems often collect granular behavior data, and attackers can misuse it for extortion even when core account systems remain intact.

Because Mixpanel disputes that the Pornhub dataset came from its incident, the precise pathway remains unclear. It could involve old datasets, retained integrations, exports shared across vendors, or another access route. None of those theories has been publicly confirmed through primary documents as of the latest reporting.

Company Response And Customer Remediation

Pornhub said it began an investigation and engaged with Mixpanel and relevant authorities. The company told users to remain alert for suspicious emails, and Malwarebytes reported Pornhub warned users to expect sextortion attempts related to this exposure.

Pornhub’s notice emphasized that passwords and payment details were not exposed. That messaging indicates Pornhub expects phishing attempts rather than direct account takeover or credit card fraud, although targeted phishing can still lead to compromise if victims reuse passwords across services.

As of the latest available reporting, Pornhub has not publicly announced compensation packages such as credit monitoring, refunds, or vouchers related to this incident. Public reporting also suggests Pornhub and its corporate owner did not respond to some press inquiries outside of the user notice.

Government, Law Enforcement, And Regulator Actions

Mixpanel said it coordinated with law enforcement during its response, and OpenAI stated it received notice and data from Mixpanel as part of the investigation process.

Pornhub said it engaged authorities, but public reporting has not yet identified specific police agencies, regulators, or enforcement actions tied to Pornhub Premium users as of mid-December 2025.

Because Pornhub serves users globally and its corporate ownership is based in Canada, multiple jurisdictions could have oversight depending on where affected users live and how data was processed. Public reporting has not yet confirmed formal regulatory filings or enforcement steps in this case.

Financial, Legal, And Business Impact

The immediate impact described in reporting is reputational risk and user safety risk, especially the threat of sextortion and coercion attempts against Premium users. That kind of harm can translate into churn, reduced subscriptions, and longer-term trust damage, particularly for services tied to sensitive personal behavior.

ShinyHunters threatened publication unless the company pays a ransom in Bitcoin. Public reporting did not confirm a ransom amount or whether negotiations occurred, and Pornhub has not confirmed any payment.

No major lawsuits, fines, or settlement talks have been confirmed in primary sources as of the latest reporting window. That could change quickly if a full dataset appears publicly or if affected users pursue litigation.

What Remains Unclear

Several core questions remain unresolved in public documentation:

1. Origin of the Pornhub dataset. Pornhub attributes the exposure to Mixpanel, while Mixpanel disputes that claim. No independent forensic report has been released publicly.
   
2. Scope and affected population. Pornhub describes “select Premium users,” while reports cite 200+ million records. Records may represent events rather than unique users, but no authoritative public breakdown exists.
   
3. Data age and retention. Some reporting suggests parts of the data may be several years old. Pornhub said it stopped working with Mixpanel in 2021, yet the dataset reportedly includes Premium user analytics events. The retention and transfer chain remains unclear.
   
4. Publication status. Reporting referenced extortion threats and samples, but confirmed evidence of a full public dump remains limited in mainstream reporting as of mid-December 2025.
   

Why This Incident Matters

This incident shows how third-party analytics tools can become part of an organization’s effective security boundary. Even when passwords and payment details remain protected, analytics systems may contain behavioral data that is highly sensitive and uniquely suited for coercion and blackmail.

It also highlights a growing pattern: extortion groups increasingly use partial proof and reputational pressure instead of immediate mass publication, especially when the victim’s user base faces high social risk. Reporting connected ShinyHunters to other high-profile extortion and breach events in recent years, which adds credibility to the threat even when the full dataset has not been publicly confirmed.

Finally, the public disagreement between Pornhub and Mixpanel underscores how supply-chain incidents can create complex accountability disputes. Until forensic findings become public, customers and regulators must treat such cases with caution, focusing on user protection and fraud prevention rather than assumptions about where the compromise occurred.

• Check Out the Recent Data Breaches

Sources

1. Reuters — Hacking group “ShinyHunters” claims theft of data from users of leading sex site Pornhub (Dec. 16, 2025)
   https://www.reuters.com/world/americas/hacking-group-shinyhunters-claims-theft-data-users-leading-sex-site-pornhub-2025-12-16/
2. The Guardian — Hackers access Pornhub’s premium users’ viewing habits and search history (Dec. 17, 2025)
   https://www.theguardian.com/technology/2025/dec/17/hackers-access-pornhub-premium-users-viewing-habits-and-search-history
3. TechRadar — Pornhub cyberattack sees some Premium members data stolen, here’s what we know so far (Dec. 2025)
   https://www.techradar.com/pro/security/pornhub-cyberattack-sees-some-premium-members-have-data-snatched
4. Malwarebytes — Pornhub tells users to expect sextortion emails after data exposure (Dec. 2025)
   https://www.malwarebytes.com/blog/news/2025/12/pornhub-tells-users-to-expect-sextortion-emails-after-data-exposure
5. Mixpanel — Our response to a recent security incident (Nov. 27, 2025)
   https://mixpanel.com/blog/sms-security-incident/
6. The Register — Analytics provider: We didn’t expose stolen smut data (Dec. 16, 2025)
   https://www.theregister.com/2025/12/16/mixpanel_breach_leak_denial/
7. OpenAI — What to know about a recent Mixpanel security incident (Nov. 2025)
   https://openai.com/index/mixpanel-incident/
8. Global News — Pornhub premium users’ data stolen by hackers demanding ransom (Dec. 2025)
   https://globalnews.ca/news/11582009/pornhub-premium-data-hack-shinyhunters/
9. Wired — The Worst Hacks of 2025 (Dec. 2025)
   https://www.wired.com/story/worst-hacks-of-2025/
10. Tom’s Guide — 200 million records exposed in massive Pornhub data breach, here’s what we know so far (Dec. 2025)
    https://www.tomsguide.com/computing/online-security/200-million-records-exposed-in-massive-pornhub-data-breach-heres-what-we-know-so-far