Blog
Home

Pornhub Premium “Analytics” Extortion: What Happened, How It May Have Happened, and What’s Being Done Now

In mid-December 2025, Pornhub became the subject of an extortion threat after a hacker group claimed it had obtained a large dataset tied to Pornhub Premium user activity. The story is unusual not because of stolen payment details or passwords (those have not been the focus), but because the alleged dataset centers on analytics events — the behind-the-scenes tracking records many sites generate to measure engagement and product performance. What makes this incident especially sensitive is that “analytics” data, when it includes identifiers like emails and is paired with viewing/search metadata, can become deeply personal — and therefore highly attractive for extortion.

12/17/20254 min read

Pornhub Premium Analytics Extortion: What We Know So Far

What happened

A threat actor/group operating under the name ShinyHunters claimed responsibility for obtaining a dataset linked to Pornhub Premium users and then demanded payment in Bitcoin to prevent the information from being released publicly and to have it deleted.

Public reporting describes this as an extortion attempt rather than a conventional “data breach disclosure” (where attackers publish a dump immediately). Instead, the alleged attackers are using the dataset as leverage: pay, or we leak.

The reported scale is large. The attackers claimed the data totals roughly 94GB and includes 201,211,943 records of Premium-member activity. These figures are the attackers’ claims as reported, not independently verified in full.

What kind of data is at the center of the extortion

Multiple reports describe the dataset as “analytics events” for Premium users the sort of event logs that get produced when a site tracks actions such as:

  • watching or downloading content

  • searching for terms

  • viewing channels/pages

  • timestamps of actions

  • associated tags/keywords

  • video/page URLs and names

  • approximate location signals

  • and, critically, email addresses used as an identifier in the tracking pipeline

This matters because analytics records aren’t just “a list of users.” They’re often a timeline of actions. If those actions are tied to an email address, they can be used to connect real identities to patterns of browsing behavior.

At the same time, Pornhub’s position (as reported) is that this incident does not involve exposed passwords or payment card details which is why the story has centered on privacy and extortion rather than account takeover and financial fraud.

How it happened (what’s known vs. what’s suspected)

The third-party analytics angle: Mixpanel

The key detail repeated across reporting is the linkage to Mixpanel, a third-party analytics provider. Pornhub said it used Mixpanel up until 2021, which suggests the tracked events (if authentic) may be historical rather than current.

This is important context: a site can stop using a vendor, but historical datasets may still exist in various forms in backups, exports, internal analytics warehouses, shared dashboards, or retained logs depending on retention practices and access controls.

Is it tied to Mixpanel’s own 2025 incident?

Some confusion emerged because Mixpanel had its own incident (reported elsewhere) involving customer data. However, Mixpanel’s response to this Pornhub-linked dataset was essentially: they couldn’t find evidence it originated from that November 2025 incident.

Mixpanel also stated (as reported) that, in its records, the Pornhub-related data was last accessed by what it described as a legitimate employee account associated with Pornhub’s parent company in 2023 which changes the likely story from “vendor hacked” to something more like credential compromise, account misuse, or an internal access path being abused.

It’s crucial to be precise here: that does not prove an insider was involved, and it does not prove which system the data came from. But it does indicate investigators are looking closely at authorized account access rather than only external exploitation of Mixpanel systems.

Independent signals the data could be real

Reuters reported that ShinyHunters shared sample data for 14 alleged users, and that parts of that sample matched records held by a dark web intelligence firm; additionally, some individuals confirmed past Premium subscriptions. This doesn’t validate the entire dataset or every field but it does provide meaningful corroboration that at least some of the material shown resembles real-world data.

Why “analytics events” can leak even without a direct Pornhub breach

Even when a company’s core user database is secure, analytics pipelines can introduce extra exposure paths because they often involve:

  • multiple internal teams and dashboards

  • service accounts/API keys

  • exports to data warehouses

  • long retention periods

  • broad read access for product/marketing analytics

If any part of that chain is misconfigured or an account is compromised, event logs can be copied in bulk without touching “payment systems” or “password databases.” The reporting around this incident aligns with that kind of scenario an analytics dataset being abused as extortion material rather than a classic credential dump.

What’s going on now (responses and remediation in progress)

Pornhub’s response

Pornhub’s public line (as reported) is that:

  • it stopped using Mixpanel in 2021, and

  • the data being discussed is framed in connection with that earlier analytics tooling period, not a current active integration

Pornhub also indicated that passwords and payment details weren’t exposed positioning the incident as a privacy/extortion matter rather than direct financial compromise.

What that implies about remediation: when a company disputes the breach path and emphasizes vendor discontinuation, the immediate focus tends to be (1) validating what data exists, (2) determining where it was stored, (3) reviewing access trails, and (4) tightening or removing any remaining legacy access routes connected to the old analytics stack.

Mixpanel’s response

Mixpanel’s statements (as reported) are significant because they narrow the likely technical story:

  • it says it cannot connect the dataset to its separate November 2025 incident, and

  • it points to access that looked like it came from a legitimate employee account tied to Pornhub’s parent org, last seen accessing the data in 2023

What that implies about remediation: this kind of finding typically triggers a deeper audit around:

  • authentication logs and access tokens for the referenced account

  • historical exports and where they were sent

  • whether credentials were compromised (phishing, password reuse, session theft)

  • and whether the data should have still been accessible at all in 2023 given Pornhub’s statement about stopping Mixpanel usage in 2021

Is the data publicly leaked yet?

At the time of the Guardian’s reporting, a security firm source said they hadn’t seen the full dataset circulating on leak channels suggesting the extortion phase may have been ongoing rather than a completed “dump and run” leak event. (That can change quickly in extortion cases, but the reporting snapshot matters for understanding the current state.)

The key open questions investigators are trying to answer

Based on the public reporting and the statements attributed to Pornhub and Mixpanel, the big unresolved items are:

  1. Where exactly did the dataset come from?
    Mixpanel, a separate store/export, or an internal archive?

  2. How did the attacker obtain access?
    External compromise, misconfiguration, or misuse of a legitimate account (possibly via stolen credentials).

  3. How current is the data?
    Pornhub suggests the analytics relationship ended in 2021; Mixpanel points to access continuing into 2023. The dataset’s true time range matters for assessing scope and exposure.

  4. What portion of the dataset is authentic and complete?
    Reuters’ partial corroboration supports authenticity for some sample material, but not necessarily the entire claimed 94GB.