“Pornhub, OpenAI Among Victims” Third-Party–Linked Data Leaks Fuel APT Concerns

Pornhub Suffers Massive User Data Breach After Third-Party Vendor Hack
OpenAI Also Exposed in Same Vendor-Linked Security Incident, Hitting API Platforms
Weak “Supply Chain Security” Seen as Potential Launchpad for APT Attacks

A massive data breach has occurred at adult website Pornhub, exposing personal information and detailed viewing histories of paying subscribers. Hackers did not attack Pornhub directly, but instead infiltrated the systems of a third-party traffic analytics provider that Pornhub had previously used, and siphoned off the data from there. As data breaches originating from partner companies of influential firms continue to accumulate, markets are increasingly warning that weak supply chain security could become a trigger for advanced persistent threat (APT) attacks.

Data of 200 Million Pornhub Paying Subscribers Leaked

On December 16 (local time), media reports including the Daily Mail said Pornhub notified more than 200 million paying subscribers of a security incident. The breach began when the systems of Mixpanel, a third-party analytics provider Pornhub had used for user analysis, were hacked. Attackers accessed data stored on the platform and stole detailed activity records of Pornhub’s paying users, including email addresses, location information, video titles watched, search keywords, and access times. The hackers reportedly claimed the stolen data totals about 94GB and includes more than 200 million individual records, and demanded money—such as Bitcoin—in exchange for deleting it.

In an official statement, Pornhub said it “recently became aware that an unauthorized party accessed analytics data stored with our third-party data analytics service provider, Mixpanel,” adding that “a limited set of analytics events for some users could be extracted through the unauthorized access.” Pornhub stressed that the incident was not a direct compromise of its internal systems. It said sensitive core account information—such as passwords or login credentials, payment details, or ID documents—was not exposed, and that it secured the relevant accounts and blocked the unauthorized access. The company also said it has not worked with Mixpanel since 2023, suggesting the leaked records are likely historical data from before 2023.

The attacker has been linked to the well-known hacking group ShinyHunters, which has a history of extorting global companies by threatening to leak stolen data. Pornhub said it has launched an internal investigation and notified authorities. In its statement, the company urged users to remain vigilant, monitor their accounts for suspicious emails or unusual activity, and watch out for phishing attempts while the investigation is ongoing.

OpenAI Data Also Leaked via a Partner Company

Pornhub was not the only company caught up in the Mixpanel-linked security incident. On November 27, OpenAI said in an official blog post that “a security incident occurred at Mixpanel, an external partner we used for web analytics for our API platform,” adding that it had “identified indications that some API user account information may have been exposed.” Mixpanel reportedly confirmed a breach of its systems on November 9, and after an investigation, shared with OpenAI on November 25 a dataset detailing the scope of the incident.

According to Mixpanel, the breach stemmed from a phishing attack in the form of smishing, which exploited text messages. The attacker allegedly tricked one internal account holder into revealing login credentials, then used that account to gain broader access and extract datasets. The information exposed reportedly included data related to users of OpenAI’s API platform (platform.openai.com), such as names, email addresses, approximate location data (country, city, etc.), browser and operating system details, referring websites, and organization- and user-related IDs tied to the account. APIs are interfaces that allow external developers to use a company’s software or services.

OpenAI said the leak did not include sensitive data such as ChatGPT chat logs, API request contents, passwords, API keys, payment information, or identification documents. As part of its security response, it also immediately halted all Mixpanel integrations across its services. OpenAI added that it would hold external vendors to the highest security standards, permanently discontinue Mixpanel in the wake of the incident, and re-examine its security framework.

Warning Lights Flash Over the “Aftershock”

Volvo’s North America unit has faced a similar incident. In September, it reported to the Massachusetts Attorney General that a ransomware attack on Miljödata, a Swedish company that provides HR management software, led to the exposure of Volvo employees’ personal data, including names and Social Security numbers (SSNs). According to notices sent to affected individuals, the intrusion occurred on August 20 and was detected by Miljödata on August 23. Volvo believes the employee data was exfiltrated on September 2, and said it was informed by Miljödata only after that point. The same attack also affected 25 companies—including Scandinavian airline SAS and metals producer Boliden—as well as more than 100 Swedish local government agencies.

As cases surge in which hackers use partner companies that share data with major firms as a gateway, the market is increasingly concerned that information leaked through this route could later be used as “raw material” for targeted APT attacks. Critics warn that attackers may leverage stolen metadata to craft spear-phishing emails or messages tailored to specific individuals or organizations, or attempt to use the exposed information as a stepping stone to reach more sensitive data.

Hackers behind APT campaigns typically infiltrate a target’s network covertly, remain dormant, and then achieve their objectives by exfiltrating confidential information. These attacks are not one-off events: they unfold over long periods, and attackers employ a range of malware and intrusion paths. Recent APT cases have involved tools such as reverse shells, backdoors, VNC (Virtual Network Computing) malware, and RDP (Remote Desktop Protocol) for remote screen control. When targeting individual users, attackers often attach malware to emails, or compromise web hosting servers such as IIS, or Microsoft Exchange email servers, to deploy malicious code. If spear-phishing and hacking are further refined using generative AI technologies, the risk posed by APT attacks is expected to intensify further.