According to TechCrunch, the hacking coalition Scattered Lapsus$ Hunters, which includes members of the ShinyHunters gang, is attempting to extort Pornhub. The group claims to have stolen personal information on the site’s premium members, including their email addresses, locations, and detailed viewing histories—down to specific video names and timestamps. This data was exposed in a breach at the analytics provider Mixpanel, which the company discovered on November 8. The breach affects Mixpanel’s roughly 8,000 corporate customers, with OpenAI, CoinTracker, SwissBorg, and SoundCloud also confirming they were impacted. SoundCloud said about 20% of its users had data stolen, including email addresses. So far, the hackers say they’ve only sent an extortion email to Pornhub.
The real problem is Mixpanel
Here’s the thing: this isn’t just a Pornhub story. It’s a massive, cascading third-party failure. Mixpanel sits in the background of thousands of apps and websites, silently collecting a firehose of user behavior data. The scary part? The type of data stolen “likely depends on how each customer configured their Mixpanel account.” Basically, companies could have been logging almost anything—clicks, swipes, device info, network details. We’re talking about a single point of failure that just handed over a treasure trove of behavioral analytics on potentially millions of users across completely unrelated services. And the worst part? This breach happened in early November, and we’re still finding out who was hit. How many other companies are sweating right now, waiting to see if their data pops up for sale?
Why this extortion is different
Extortion after a data breach is common. But this case is uniquely sensitive. We’re not talking about credit card numbers or passwords here. For a site like Pornhub, the data stolen—specific video titles, channels, and search keywords—is profoundly personal and potentially deeply embarrassing. It’s the kind of information that could be used for targeted blackmail or public shaming. The hackers know this. They didn’t blast out extortion emails to every affected company; they went straight for the one with the most leverage. It’s a brutal, calculated move. Pornhub’s parent company, Aylo, has a published statement about the Mixpanel incident, but the lack of detailed answers to press questions speaks volumes about the delicate situation.
A wake-up call for data dependency
This should be a massive wake-up call for any business that relies on third-party analytics. Companies like OpenAI, SoundCloud, and Pornhub are outsourcing the collection of incredibly granular user data. When that vendor gets hacked, you lose control of your user’s trust instantly. SoundCloud’s update tries to downplay it, saying the data was “already visible on public profiles,” but that misses the point. The aggregation and association of that data is the risk. And OpenAI’s confirmation is quietly alarming—what user interaction data from ChatGPT or its APIs was flowing through Mixpanel? The entire tech stack is built on these data pipelines, and this incident proves they’re a glaring vulnerability. When will companies start asking if they really need to collect this much, or if handing it to a third party is worth the existential risk?
