Adult video website Pornhub recently confirmed that the search and viewing activity data of some of its premium members were leaked in a security incident of third-party analytics service provider Mixpanel and used for blackmail by the hacker group ShinyHunters. Pornhub said in a security advisory issued last week that the incident stemmed from a cyber attack on Mixpanel. The data involved only involved "some advanced users" and was not a breach of Pornhub's own system. User passwords, payment information and financial data were not exposed.

According to previously disclosed information, Mixpanel encountered an SMS phishing attack on November 8, 2025. Hackers used this to invade its system, resulting in the leakage of some customer data. Companies such as OpenAI and CoinTracker have previously confirmed that they were affected by the same incident. Pornhub said it no longer uses the Mixpanel service as of 2021, meaning that the currently stolen data is historical analysis data from 2021 and earlier. Mixpanel said that a "limited number" of customers were affected and emphasized that there is currently no evidence that the batch of Pornhub data used for extortion originated from the security incident in November.

BleepingComputer has learned that ShinyHunters began sending extortion emails to multiple Mixpanel customers last week, threatening to disclose the data it held if the ransom was not paid. In a ransom note sent to Pornhub, the group claimed to have stolen 94GB of data from Mixpanel, containing more than 200 million records related to personal information. ShinyHunters later confirmed to the media that the data covers 201211943 historical search, viewing and download activity records of Pornhub Premium members.

A small sample reviewed by BleepingComputer revealed that the analytics event data Pornhub sent to Mixpanel contained a large amount of highly sensitive information about users. These fields include the email address of the premium member, activity type, geographical location information, video link, video title, video-related keywords, and the specific time when the event occurred. The types of activities that have been observed include watching videos, downloading videos, and browsing channels. ShinyHunters also said that it also includes user search history data.

It is worth noting that Mixpanel emphasized in its response that it has not been found that the data used for blackmail was stolen during its security incident in November 2025, and that the relevant data was last accessed by a legitimate employee account of Pornhub’s parent company in 2023. Mixpanel said that if the data now fell into the hands of unauthorized parties, it was "not due to a security incident at Mixpanel." Pornhub did not provide further details beyond the announcement when asked by the media.

ShinyHunters has frequently appeared in many major data breaches in recent years, mainly by intruding into various service providers integrated with Salesforce, then accessing the enterprise's Salesforce instance and stealing a large amount of company data. The group has been linked to previously exposed exploits of an Oracle E-Business Suite zero-day vulnerability (CVE-2025-61884), as well as attacks against Salesforce/Drift that impacted numerous organizations earlier this year. Going even further, ShinyHunters is also accused of hacking customer success platform GainSight to further steal more of the organization's data hosted in a Salesforce environment.

With ShinyHunters confirmed to be also behind this Mixpanel-related incident, the group has become one of the most damaging data breaches of 2025, implicating hundreds of businesses. At the same time, the group is building a new ransomware-as-a-service platform called "ShinySp1d3r" and cooperating with threat actors such as Scattered Spider to carry out larger-scale ransomware attacks, further increasing its influence in the cybercriminal ecosystem.