Pornhub breach exposes data of more than 200 million users tied to third-party analytics

Pornhub said on Sunday that data and search histories for more than 200 million premium users may have been exposed in a security breach linked to a third-party analytics provider. The platform disclosed the issue on December 12 and updated the information on December 16, noting that an unauthorized party gained access to analytics data stored with Mixpanel, a third-party data analytics service. Pornhub said the breach did not involve its own systems and that passwords, payment details and government IDs were not compromised. The company added that it has secured the affected account and halted the unauthorized access.

Hackers claimed they infiltrated Mixpanel, a system Pornhub uses to analyze site traffic and user interactions, and were able to extract a limited set of analytics events for some users. In a later release, Pornhub described the data as limited and associated with analytics events rather than the core platform databases. The breach has heightened privacy concerns given the sensitive nature of the site and the potential for highly identifiable information to be tied to individual users.

According to the company, the data set could include email addresses, location, video titles, search keywords, activity types and timestamps for more than 200 million entries. The hackers claimed they possessed a “massive data set” of such records and have publicly offered what they described as Pornhub Premium analytics data, naming several tech companies as victims. Pornhub said it has informed affected users and urged them to be vigilant for phishing attempts or suspicious messages.

Mixpanel’s chief executive officer, Jen Taylor, said the company took steps to contain and eradicate unauthorized access and to secure impacted user accounts, and that it engaged external cybersecurity partners to remediate the incident. The company told BleepingComputer that it could not verify whether the Pornhub data being circulated originated from the November breach on which Mixpanel’s systems were targeted. Pornhub has said it stopped using Mixpanel in 2023, meaning the data involved likely predates 2023.

The breach appears to be tied to a November incident affecting Mixpanel’s analytics platform, with Pornhub noting that the data involved date back to that period or earlier. BleepingComputer reported that the compromised analytics data may have encompassed event logs and user interactions rather than full account details. Pornhub has said the investigation is ongoing and that authorities have been alerted.

Cybersecurity experts emphasize that third-party analytics tools can create vulnerabilities when data is transmitted and stored outside a site’s own infrastructure. Privacy advocates have long warned that analytics services that collect detailed user interaction data can magnify exposure risk if those tools are compromised. In this case, Pornhub contends the breach did not involve its core systems, but the information exposed could still be highly sensitive given the nature of the site and the potential correlation of search history with individual users.

Pornhub has advised users to monitor their accounts for unusual activity and to be cautious of unsolicited messages. The company also noted that passwords and payment information were not affected, but it urged users to stay alert for phishing schemes that may attempt to exploit the breach. The incident underscores ongoing questions about how much data is stored by third-party analytics providers and how such data is safeguarded when it travels outside a platform’s direct control.

In the broader context of technology and AI, the episode highlights the challenges of data governance in analytics ecosystems that rely on external services. As platforms increasingly deploy analytics and AI-driven insights to optimize content and user experience, the security of data shared with analytics partners remains a critical and evolving area of risk management for online services, including those handling highly sensitive content. The Pornhub case adds to a growing catalog of breaches where metadata about user interactions, rather than direct credentials, becomes the focal point of a data security incident.