Are you a Pornhub Premium member? You may want to pay more attention to a notification about a data leak described as a “limited set of scan events.” This language hides the real story: your monitoring and search history could now be in the hands of hackers, and its release will depend on whether or not Pornhub pays the ransom demanded.
As reported by BleepingComputer, Pornhub claims the breach occurred via a smishing attack against third-party analytics partner Mixpanel. This hack took place on November 8 and was initially linked to leaks at OpenAi and CoinTracker. Only certain users were affected, and no passwords, payment details, financial information or government IDs were stolen. The company also says its partnership with Mixpanel ended in 2021.
For its part, Mixpanel has since told BleepingComputer that “[t]The data was last accessed by a legitimate employee account of Pornhub’s parent company in 2023. If this data is in the hands of an unauthorized party, we do not believe it is the result of a security incident at Mixpanel.
Since Pornhub’s initial notification, the ShinyHunters ransomware group has publicly claimed responsibility for the hack, via emails to affected companies demanding a ransom to prevent the data from being released. Pornhub’s is one of the most potentially harmful to users if released, with a 94GB dataset containing the search, viewing and download histories of more than 200 million Pornhub Premium subscribers.
In its report, BleepingComputer says it has seen sample data, which includes the member’s email address, activity type, location, video links, video names, keywords associated with the video, and when the user activity took place. For activity types, BleepingComputer only checked whether a subscriber watched or downloaded a video, or watched a channel. Search history is not confirmed as part of the dataset.
Jared Newman / Foundry
So what does this mean for you, if you’re a long-time or former Pornhub Premium subscriber? First, don’t panic. This could be a serious violation of your privacy, yes. But it is not worth extreme action on your part. Instead, consider preparing on these fronts:
Extortion: You may be exposed to subsequent extortion attempts, if Pornhub and ShinyHunters fail to reach an agreement on ransom payment and the information is leaked to the wider dark web. I do not recommend paying even once, as this may result in further requests for additional or higher amounts of money. Instead, plan now how you yourself will (if warranted) handle the news to your family, employer, etc. Or how to protect yourself from negative reactions if that’s not possible.
Scams: Fraudsters have become more sophisticated in their approach to victims, with AI tools doing much of the work of designing specialized campaigns. If Pornhub data leaks, be wary of messages or invitations that suit your tastes. You could end up falling for a romance scam, for example.
Hide your email address: Consider switching to masked email addresses for your accounts now. These aliases hide your real email address while diverting messages to your main inbox, preventing attackers (and onlookers) from immediately identifying you or creating a profile about you to better scam or extort you. You can even try them for free!
Unfortunately, data leaks will only continue in the future. For most people, who might be uncomfortable with others knowing what they buy, view, or frequent, it’s best not to trust companies to protect your information. I now assume that any details I give to a website could become public through no fault of my own, and I plan accordingly.
