ShinyHunters hacks Pornhub, steals personal info

Hacking group claims to have users’ names and addresses

Hacking group ShinyHunters says it has stolen around 200 million pieces of personal data from Pornhub, one of the world’s most popular adult websites.

The hacking group is known for its high-profile breaches of companies like Microsoft and Pandora. It specialises in extortion attacks, making sensitive data like this particularly valuable.

The stolen information allegedly includes the names, email addresses, locations and viewing habits of Pornhub Premium users.

At least three former customers in the US and Canada have confirmed to Reuters that the data is authentic, although several years old.

Pornhub confirmed that there had been a cyber “incident” in a statement, adding:

“Specifically, this situation affects only select Premium users. It is important to note this was not a breach of Pornhub Premium’s systems. Passwords, payment details, and financial information remain secure and were not exposed.”

The company blamed the incident on third-party analytics firm Mixpanel, which it says it stopped working with in 2021.

Mixpanel previously disclosed a cyber incident on 27^th November, but has disputed Pornhub’s statement: it claims there is no evidence that it is the source of the leaked data.

Pornhub continued, ““The unauthorised party was able to use this unauthorised access to extract a limited set of analytics events for some users.”

“Limited” is debateable, considering the sensitive nature of the information.

Chris Hauk, consumer privacy advocate at Pixel Privacy, said, “Other than certain kinds of illegal adult content, viewing such videos is more accepted these days. However, many individuals could be targeted due to their status or jobs.

“For example, if a priest or other type of clergyman is revealed to be a patron of the pornographic arts, this could definitely pose a problem for them. The same goes for CEOs and other high-visibility individuals.”

And Javvad Malik, cybersecurity expert at KnowBe4, pointed out that while telemetry data like viewing habits – which includes titles and links of watched videos – may seem harmless, “in the right circumstances, it can become toxic... [and] easily turn into tools of extortion.”

There is currently no evidence that ShinyHunters has leaked the stolen data online, but has shown snippets of what it claims are Pornhub Premium users’ details.

Although the stolen information appears to be several years old, and so predates the UK’s Online Safety Act coming into force this year, critics have warned about hackers targeting adult sites now that they have to collect users’ personal data by law.