Executive Summary

On November 8, 2025, the third-party analytics provider Mixpanel suffered a security breach following a targeted SMS phishing (smishing) attack. This incident resulted in unauthorized access to historical analytics data, including sensitive user activity records from former PornHub Premium members. The threat actor group ShinyHunters subsequently initiated an extortion campaign, claiming to have exfiltrated 94GB of data containing over 200 million records of search, watch, and download activity. PornHub has confirmed that only select Premium users are affected, with no compromise of passwords, payment details, or financial information. The exposed data is at least four years old, as PornHub ceased using Mixpanel in 2021. Both PornHub and Mixpanel have issued public statements and are cooperating with authorities. This incident underscores the critical risks associated with third-party data analytics providers, particularly in sectors where user privacy is paramount. All information in this summary is directly supported by primary sources, including BleepingComputer (https://www.bleepingcomputer.com/news/security/pornhub-extorted-after-hackers-steal-premium-member-activity-data/), Cyber Daily (https://www.cyberdaily.au/security/13024-watch-that-supply-chain-pornhub-openai-caught-up-in-third-party-hack), and PornHub’s official statement (https://help.pornhub.com/hc/en-us/articles/47334442459283-Important-Message-From-Pornhub).

Technical Information

The breach originated from a smishing attack, a form of social engineering where attackers use SMS messages to deceive recipients into divulging credentials or clicking malicious links. On November 8, 2025, Mixpanel detected unauthorized access to its systems after employees were targeted by such an attack. This initial access is mapped to MITRE ATT&CK technique T1566.003: Phishing: Spearphishing via Service (https://attack.mitre.org/techniques/T1566/003/). The attackers leveraged compromised credentials to access historical analytics data repositories, specifically those containing records last accessed by a legitimate PornHub parent company employee in 2023.

The exfiltrated dataset, as claimed by ShinyHunters, consists of 94GB and over 200 million records. The data includes email addresses, activity types (such as watched, downloaded, or viewed channel), user location, video URLs and names, keywords associated with videos, and timestamps of user actions. Notably, the dataset contains detailed search, watch, and download histories of PornHub Premium members. Sample data reviewed by journalists confirms the presence of highly sensitive user activity information.

ShinyHunters began extorting Mixpanel customers, including PornHub, by sending emails threatening to publish the stolen data unless a ransom was paid. This extortion activity is mapped to MITRE ATT&CK technique T1486: Data Encrypted for Impact (Extortion) (https://attack.mitre.org/techniques/T1486/). The group has a documented history of targeting SaaS and supply chain providers, including previous attacks on Salesforce integration companies, exploitation of the Oracle E-Business Suite zero-day (CVE-2025-61884), and the development of the ShinySpid3r ransomware-as-a-service platform.

No specific malware family or custom tool has been identified in this incident; the primary attack vector was social engineering via SMS. The attackers’ ability to access and exfiltrate data was facilitated by the use of valid credentials, mapped to MITRE ATT&CK technique T1078: Valid Accounts (https://attack.mitre.org/techniques/T1078/). The data was collected from information repositories (T1213: Data from Information Repositories, https://attack.mitre.org/techniques/T1213/) and exfiltrated over a command and control channel (T1041: Exfiltration Over C2 Channel, https://attack.mitre.org/techniques/T1041/).

The incident highlights the persistent risk posed by third-party analytics providers, especially in sectors handling highly sensitive user data. Although PornHub’s core systems were not breached and no current user credentials or payment information were exposed, the retention of historical analytics data by Mixpanel created a significant privacy risk. The breach also demonstrates the importance of supply chain security and the need for regular audits of data retention practices by third-party vendors.

Attribution to ShinyHunters is supported by direct extortion communications, sample data provided to journalists, and a consistent pattern of similar attacks. The confidence level in this attribution is high, based on primary source confirmation and technical evidence.

Affected Versions & Timeline

The affected data pertains exclusively to PornHub Premium users whose activity was recorded by Mixpanel prior to 2021. PornHub has not used Mixpanel services since that year, so all compromised data is at least four years old. The timeline of the incident is as follows: On November 8, 2025, Mixpanel was breached via a smishing attack. The company publicly disclosed the incident on November 27, 2025. PornHub issued its public statement on December 12, 2025, confirming the impact to select Premium users. On December 15 and 16, 2025, BleepingComputer and Cyber Daily reported that ShinyHunters was actively extorting PornHub and other Mixpanel customers, with over 200 million records claimed stolen. As of December 16, 2025, there have been no regulatory filings or law enforcement advisories published regarding this incident.

Threat Activity

The threat actor group ShinyHunters orchestrated the attack and subsequent extortion campaign. Their initial access was achieved through a targeted smishing campaign against Mixpanel employees, resulting in the compromise of valid credentials. Once inside, the attackers accessed and exfiltrated historical analytics data, specifically targeting datasets associated with high-profile customers such as PornHub. The extortion phase involved direct communication with affected organizations, demanding payment to prevent public disclosure of the stolen data.

ShinyHunters is known for targeting SaaS and supply chain providers, often exploiting weak links in third-party integrations to access sensitive data. Their activities in 2025 have included breaches of Salesforce integration companies, exploitation of the Oracle E-Business Suite zero-day (CVE-2025-61884), and attacks on organizations using Salesforce/Drift. The group is also linked to the development of the ShinySpid3r ransomware-as-a-service platform and has collaborated with other threat actors such as Scattered Spider.

The targeting of the adult entertainment sector, specifically PornHub, demonstrates a strategic focus on organizations where user privacy is of utmost importance and the potential impact of data exposure is severe. The incident also highlights the broader risks associated with third-party analytics providers, as similar breaches have affected organizations in the AI and finance sectors, including OpenAI and CoinTracker.

Mitigation & Workarounds

The following mitigation and workaround recommendations are prioritized by severity:

Critical: Organizations should immediately review and restrict third-party vendor access to sensitive data, especially historical analytics records. Conduct a comprehensive audit of all data retained by third-party providers and ensure that data retention policies are enforced and regularly reviewed.

High: Implement multi-factor authentication (MFA) for all accounts with access to sensitive data, including those managed by third-party vendors. Regularly test and update incident response plans to address supply chain and third-party breaches.

High: Enhance employee training programs to recognize and report smishing and other social engineering attacks. Ensure that all staff, including those at third-party vendors, are aware of the latest phishing tactics.

Medium: Establish contractual requirements for third-party vendors to promptly notify customers of any security incidents and to cooperate fully in incident response and remediation efforts.

Medium: Monitor for signs of extortion attempts and data leaks on public and dark web forums. Engage with law enforcement and relevant authorities as soon as an extortion demand is received.

Low: Review and update privacy notices and user communications to transparently inform affected users about the nature and scope of any data exposure, even if the data is historical.

References

https://www.bleepingcomputer.com/news/security/pornhub-extorted-after-hackers-steal-premium-member-activity-data/ https://www.cyberdaily.au/security/13024-watch-that-supply-chain-pornhub-openai-caught-up-in-third-party-hack https://help.pornhub.com/hc/en-us/articles/47334442459283-Important-Message-From-Pornhub

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with external vendors and supply chain partners. Our platform enables continuous evaluation of vendor security posture, supports incident response coordination, and facilitates compliance with data retention and privacy requirements. For questions regarding this incident or to discuss third-party risk management strategies, contact us at ops@rescana.com.