Adult video platform PornHub is facing extortion from the ShinyHunters extortion gang after attackers reportedly stole the search and watch history of its Premium members during a recent Mixpanel data breach.
PornHub Discloses Impact From Mixpanel Breach
Last week, PornHub disclosed that a breach at its analytics vendor Mixpanel affected the company. Mixpanel experienced the breach on November 8th, 2025, when an SMS phishing (smishing) attack allowed threat actors to compromise its systems.
“A recent cybersecurity incident involving Mixpanel, a third-party data analytics provider, has impacted some Pornhub Premium users,” reads a PornHub security notice posted on Friday.
“Specifically, this situation affects only select Premium users. It is important to note this was not a breach of Pornhub Premium’s systems. Passwords, payment details, and financial information remain secure and were not exposed.”
Additionally, PornHub stated that it has not worked with Mixpanel since 2021, indicating that the stolen records consist of historical analytics data collected in 2021 or earlier.
Mixpanel Responds and Questions Data Origin
Meanwhile, Mixpanel said the breach affected a “limited number” of customers, with OpenAI and CoinTracker previously disclosing impacts.
Notably, this marks the first public confirmation linking ShinyHunters to the Mixpanel breach.
When BleepingComputer contacted PornHub, the company declined to provide further comment beyond its previously issued security notice.
After BleepingComputer published its story, Mixpanel told the outlet that it does not believe the exposed data originated from the November breach.
“Mixpanel is aware of reports that Pornhub has been extorted with data that that was allegedly stolen from us,” Mixpanel said.
“We can find no indication that this data was stolen from Mixpanel during our November 2025 security Incident or otherwise.”
“The data was last accessed by a legitimate employee account at Pornhub’s parent company in 2023. If this data is in the hands of an unauthorized party, we do not believe that is the result of a security incident at Mixpanel.”
ShinyHunters Launches Extortion Campaign
Today, BleepingComputer learned that ShinyHunters began extorting Mixpanel customers last week. The group sent emails that opened with “We are ShinyHunters” and warned recipients that the attackers would publish stolen data unless victims paid a ransom.
In an extortion demand sent to PornHub, ShinyHunters claims it stole 94GB of data containing more than 200 million records of personal information during the Mixpanel breach.
ShinyHunters later confirmed to BleepingComputer that it sent the extortion emails and claimed the dataset contains 201,211,943 records of historical search, watch, and download activity belonging to the platform’s Premium members.
A small sample of data shared with BleepingComputer shows that analytics events sent to Mixpanel include a large amount of sensitive information that members would likely prefer to keep private.
The exposed data includes a PornHub Premium member’s email address, activity type, location, video URL, video name, keywords associated with the video, and the time the event occurred.
Activity types reviewed by BleepingComputer show whether a subscriber watched or downloaded a video or viewed a channel. In addition, ShinyHunters stated that the dataset also includes search histories.
ShinyHunters’ Broader 2025 Attack Campaign
Throughout 2025, the ShinyHunters extortion group has orchestrated a series of high-profile data breaches. The group compromised multiple Salesforce integration companies to access Salesforce instances and steal corporate data.
Investigators have also linked the threat actors to exploitation of the Oracle E-Business Suite zero-day vulnerability tracked as CVE-2025-61884, as well as to Salesforce and Drift-related attacks that impacted numerous organizations earlier this year.
More recently, ShinyHunters breached GainSight, allowing the attackers to steal additional Salesforce data from affected companies.
Now that researchers have confirmed ShinyHunters’ involvement in the Mixpanel breach, the group stands responsible for some of the most significant data breaches of 2025, impacting hundreds of organizations worldwide.
Finally, ShinyHunters has begun developing a new ransomware-as-a-service platform called ShinySpid3r. The service will enable the group and threat actors associated with Scattered Spider to conduct future ransomware attacks.
Source: BleepingComputer, Lawrence Abrams
Read more at Impreza News
