Intimacy for Ransom: ShinyHunters Extorts PornHub Over 200M Stolen Premium Search & Watch Records
PornHub has stated that it has become the target of extortion by the ShinyHunters group, which claims to have obtained data related to search queries and viewing histories of Premium users. According to the company, the issue stems from a security incident at analytics contractor Mixpanel, rather than a breach of PornHub’s internal systems.
PornHub reported that it learned last week of its potential exposure following Mixpanel’s recent incident. On November 8, 2025, the analytics service was compromised via a smishing attack that enabled attackers to gain access to its systems. In its notification, PornHub emphasized that the situation affects only a subset of Premium users and is unrelated to any compromise of PornHub Premium itself. The company stressed that passwords, payment details, and financial information were not affected.
PornHub further noted that it has not worked with Mixpanel since 2021, meaning that any stolen records—if they do indeed pertain to PornHub—would necessarily be historical, dating back no later than 2021. Mixpanel, for its part, has stated that the November incident impacted only a “limited number” of clients, with OpenAI and CoinTracker previously disclosing that they were affected.
This episode marks the first public confirmation that ShinyHunters was behind the extortion of Mixpanel’s clients. Reports indicate that, last week, ShinyHunters began sending threatening emails demanding ransom payments in exchange for withholding the publication of stolen data. In communications directed at PornHub, the group claimed to have exfiltrated 94 GB of data encompassing more than 200 million personal records, later specifying a total of 201,211,943 records of historical Premium account activity, including searches, views, and downloads.
A small sample suggests that analytics “events” may contain extremely sensitive details: user email addresses, activity types, locations, URLs and video titles, keywords, and timestamps. The activity categories reportedly include video views and downloads, channel visits, and—according to ShinyHunters—search queries as well.
Following publication of these claims, Mixpanel stated that it does not believe the data in question was stolen during the November incident. The company said it has found no evidence of data exfiltration from Mixpanel tied to the November 2025 compromise, asserting instead that the last access to the relevant data occurred in 2023 via a legitimate account belonging to an employee of PornHub’s parent company. If the data ultimately reached unauthorized parties, Mixpanel maintains that, in its assessment, this was not the result of a Mixpanel breach.
In 2025, ShinyHunters has already been linked to a series of high-profile data leaks, often gaining access through various Salesforce integrators and related attack chains. The group has also been associated with the exploitation of a zero-day vulnerability in Oracle E-Business Suite (CVE-2025-61884), attacks targeting Salesforce/Drift, and the recent breach of Gainsight, which allegedly granted access to additional Salesforce data across multiple organizations.
Now, with confirmation of ShinyHunters’ involvement in the Mixpanel affair, the group is being named as responsible for some of the most prominent data breaches of 2025. Moreover, available information suggests that ShinyHunters is developing a new ransomware-as-a-service platform, dubbed ShinySpid3r, intended to serve as an operational hub for the group itself and affiliated actors linked to Scattered Spider in future extortion campaigns.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
