Extortionists Blackmail PornHub After Stealing Premium Subscribers' Data
The ShinyHunters hacking group is extorting money from PornHub, claiming to have stolen browsing histories and search queries of premium subscribers. PornHub confirmed the data leak stems from the November compromise of analytics service Mixpanel, which fell victim to SMS phishing.
PornHub reported the leak occurred after Mixpanel's compromise on November 8, 2025.
"The Mixpanel incident has affected some PornHub Premium users. It's important to clarify: this is not hacking our systems. Passwords, payment details and financial information were not affected and were not disclosed," PornHub stated.
PornHub stopped using Mixpanel in 2021, meaning only analytical data from 2021 and earlier was exposed.
Mixpanel Breach
Mixpanel disclosed the attack last month, stating it affected a limited number of customers—including OpenAI and cryptocurrency platform CoinTracker—but provided minimal technical details. The company attributed the compromise to an SMS phishing campaign discovered November 9, 2025.
ShinyHunters began blackmailing Mixpanel customers this week, sending ransom demands and threatening to release stolen data. In a message to PornHub, the group claimed to have stolen 94 GB of data containing more than 200 million records of users' personal information. ShinyHunters later told reporters they possess 201,211,943 records of search history, views, and downloads from PornHub premium users.
Data samples from the hackers showed analytics events sent to Mixpanel contained sensitive information: subscriber email addresses, activity types, locations, specific video URLs, video titles, related keywords, and timestamps. Activity data includes video watching and downloading, plus channel viewing on PornHub. ShinyHunters claims the stolen records include search history.
ShinyHunters Campaign
ShinyHunters ranks among 2025's most active hacking groups. Security researchers recently linked the group to exploiting a zero-day vulnerability in Oracle E-Business Suite (CVE-2025-61884). Earlier in 2025, ShinyHunters attacked Salesforce and Drift platforms, affecting dozens of organizations.
In November, the group compromised Gainsight, a customer relationship management company that helps Salesforce customers monitor customer data. Salesforce warned the leak affected Gainsight-published applications connected to Salesforce, giving ShinyHunters expanded access.
With the Mixpanel connection confirmed, ShinyHunters is responsible for the largest data leaks of 2025, affecting hundreds of companies.
ShinyHunters and the Scattered Spider group recently switched to a new ransomware-as-a-service platform called ShinySp1d3r, abandoning third-party encryptors ALPHV/BlackCat, RansomHub, Qilin, and DragonForce.
