Pornhub Extorted After Hackers Steal Premium Member Activity Data
Key topics
A recent data breach exposed sensitive information about Pornhub Premium members, sparking a lively debate about the security missteps that led to the leak. Commenters pointed out that a third-party supplier was compromised, and that Pornhub's decision to share sensitive user data with this supplier without proper anonymization was a major contributor to the breach's severity. Some users shared their own experiences with extortion attempts, claiming that hackers had accessed their viewing history, while others highlighted the dangers of sharing identifiable information with third-party tracking software. The consensus was that the breach was a predictable outcome of sloppy data handling practices.
Snapshot generated from the HN discussion
Discussion Activity
Very active discussionFirst comment
47m
Peak period
36
3-6h
Avg / period
10
Based on 100 loaded comments
Key moments
- 01Story posted
Dec 17, 2025 at 3:18 PM EST
20 days ago
Step 01 - 02First comment
Dec 17, 2025 at 4:04 PM EST
47m after posting
Step 02 - 03Peak activity
36 comments in 3-6h
Hottest window of the conversation
Step 03 - 04Latest activity
Dec 19, 2025 at 10:03 AM EST
19 days ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
Just by replacing the email with a random anonymizedAccountId the impact would have been reduced from disaster to who cares. This was bad design from the start.
We may see some interesting news in a few days.
Similar to Ashley Madison data breach, vulnerable to extortion and various shenanigans.
Enjoy the free show buddy
Of course, in a sensitive situation such as that, even IP address can also be problematic, and your 3rd-party tracking software vendor gets that automatically.
If these clowns had hired someone smart instead of just copy-pasting some tracking code and throwing their whole user object at it or whatever, they would have given this some thought.
I'd have used the ability to proxy the MP tracking calls to my own server which most of these services offer but few use. That server would not keep any logs and would perform coarse GEOIP, remove the IP itself or zero the last 2 octets, and relay that information into MixPanel using custom attributes.
Just a quick back-of-napkin sketch, but even that was more thought than they put into it.
I had an inkling! They've been on a roll this past year or so.
>This data includes a PornHub Premium member's email address, activity type, location, video URL, video name, keywords associated with the video, and the time the event occurred.
Well, that's pretty fucking wild! Email address & time and location sent to a 3rd party, nice! Absolutely no reason for that, of course.
I guess somewhat notably is MixPanel denying that it's coming from their November breach. They have less incentive to lie in this case, given that they've already admitted to being breached.
I had always known, albeit intuitively, that registering to porn websites was a dumb idea.
Time has proved me right.
Getting compromised is more of a matter or time than ability. Someone's going to fuck up at some point.
There is no reason to think that more reputable activist providers like Mullvad or AirVPN would if a party like PIA already doesn't.
I'd steer clear of NordVPN though. They have lots of controversy in their history and they are very financially motivated, considering the deluge of YouTube sponsorship and ads they pay for each year. Still don't think they would lie about no logs but why risk it.
Did they also testify under oath there is no lawful intercept API or anything similar? That does not require logs. In fact when I or the feds would set up phone call intercepts on telco switches we would intentionally disable logs and put the mainframes into "test mode". And that is even before people start playing word games like calling lawful intercept "debugging" or something else.
However, I also think threat model comes into play here. If you don't want advertisers to track you or to download some torrents, a VPN provider works great. If you want to hack into NORAD, probably do that from a secondhand laptop on Tor over a public wifi.
I say you've properly got your eyes open. Anyone who thinks anything you do online is completely private is naive. IF any government wants to know what you've been up to online, nothing can stop them. Privacy is a thing of the past, we should vote only for politicians who say they want the government out of our backyards, banks and bedroom. Oops, too late!
They may need to retain certain information for laws, but they aren't obligated by law to also share that information with their analytics partners.
So if any calls looks like "https://example.invalid/api?confirmemail=user@example.invali..." would cause a leak of the email. I have seen multiple companies and websites do this (either with email or username) when signing up or after first login, and I would strongly guess that most of not all of them uses some kind of analytics for that request that leaked data.
Web developers are supposed to scrub their sites so that doesn't happen, but then the main arguments in favor of using third-party analytics is the convenience of enabling it globally with minimum effort and then getting pretty graphs for free. There are occasionally HN posts about self-hosting analytics and the common response is that its too hard and too much work.
3rd party user tracking can slurp up a lot of unexpected data, and no one ever wants to disclose problems when a vendor loses things like this. MixPanel has a long history of problems/
Brilliant talk.
In other words, this is data we as consumers want to be able to access, and therefore want kept.
Surely this is up to the client, or perhaps explicit bookmarking capabilities. Not implicit records of what you looked for in the past
If companies actually think "users really, really want X" then they should have no fear making X opt-in.
But there are obviously MANY things we prefer to keep opt-in. What makes sense with those doesn't inherently make it any less painful to put other things off by default.
Sometimes also for engagement, like feed tuning, but usually that's also mostly about selling it.
Not often for user-wanted features, though they might be thrown in, since the data is already captured (to sell it).
When companies mainly want the surveillance data to sell it, now there's a monetary number on it. And a monetary number can also be put on lawsuits.
https://en.wikipedia.org/wiki/Bork_tapes
> The subsequent leakage and coverage of the tapes resulted in Congress passing the Video Privacy Protection Act (VPPA), which forbids the sharing of video tape rental information, amidst a bipartisan consensus on intellectual privacy.[8][9][10] Proponents of the VPPA, including Senator Patrick Leahy, contended that the leakage of Bork's tapes was an outrage.[11][12] The bill was passed in just over a year after the incident.[13][14]
That said, if I were to imagine myself working at a place like that when they existed, I can't see myself turning over customer data like that willy-nilly to someone fishing for information. Like are you the police, what gives?
It sounds super personal, just like religion or blood type
In the case of personal emails, that same email can usually be used to look up the victim on social media (Facebook is an example) to reveal their identity, if, like most people, they used the same email on that social media site.
As most on HN will be aware, data breaches like this are extremely common. Its not a matter of if, its a matter of when. NSFW sites in particular are more juicy targets and often have bad security.
Unless you actually work in the adult entertainment industry, that seems like a massively stupid move; one that would likely lead to termination.
Now, if I was a repressed person living in an area where that threatened my safety, I'd be terrified. It's a privilege that I don't have to worry about it, and that's the real problem when we get past the technical reasons why this shouldn't have happened.
Thats a problem as well. Right now, you're 'safe'. But having that data available attached to you can also be dangerous to you in the future.
For example, the current wave of trans-hate can easily show you as a sympathizer. That can be criminalized quite easily, given 1/4 of the country hates trans people existing.
Being gay is right now not a crime in the USA, but it has been. And many regressive countries, predominantly Muslim, also have strong punishments for gay actions. Again, this material could easily be proof of a "deviant lifestyle" and legal punishments.
No, if I consume porn, I download from Piratebay, or hop on VPN and not login. And given I live in a state that Pornhub banned due to onerous age verification/identity tying, the whatif above could easily become true. Ive read Project2025 and saw those exact plans.
How exactly could trans sympathy be "criminalized"?
Fuck you.
https://en.wikipedia.org/wiki/Persecution_of_transgender_peo...
https://www.them.us/story/trump-admin-fbi-trans-nihilistic-v...
I mean, that makes as much sense as declaring an idea like antifascism a terrorist organization, which is clearly impossible.
After the fight, the brawl was blamed on the other participants, all of whom were wearing emo clothing. Black shirts, band logos, jeans.
The local police went as far as enacting a local anti gang ordnace, identified the emo wear as gang colours, and with 2 hours notice, advised that those colours were not allowed in the city for 48 hours. The security guard who helped break things up was chatting to me about it, laughing at it like it was a common consequence.
A local taxi company was cleaning up, as they accepted each emo kid, in groups of 1 - 4 and took them home to the suburbs. 20 taxis lined up, picking up kids.
Probably my first political WOW moment. I had never seen ~120 people pay for the consequences of the actions of a few.
True to their word, was 48 hours or more until I spotted them in the city again.
Governments can make any law they wish, cops tend to enforce any law they wish. Courts and appeals take time. There is nothing preventing that same city from declaring pride flags or trans icons as gang symbols.
This wasnt even in the US.
Same shit could happen anywhere, Trump could declare them terrorists identified by their symbols and tattoos, he could enforce inspections of their social media at airport checkpoints. Considering what was legal and enforced in the US in its history there's really nothing off the table going forward for persecuting anyone.
https://en.wikipedia.org/wiki/Capital_punishment_for_homosex...
1: would be easy
2: would apply to sympathizers
3: would be possible
https://www.advocate.com/politics/pam-bondi-trans-equality-b...
I'll need to dig up a reference but I've seen multiple sources cite that that 1/4 watches a disproportionately high amount of trans porn. The top most commenter is spot on about how much harm our prudishness is doing to us all.
That doesn't mean they don't hate trans people. Most porn shows women yet it's a hotbed of misogyny.
For accuracy it's worth stating this is only a recent occurrence.
Right now:
Nations with anti-LGBT laws: 50% Muslim, 44% Christian (2024)
~ https://76crimes.com/2024/02/11/nations-with-anti-lgbt-laws-...However this "predominantly Muslim" twist in the numbers is recent:
~ (quote from above source)Uganda, with an 82% Christian population is famously severe in it's punishments for gay and queer sexual activity.
With the support and funding of US conservative Christians:
US religious right at center of anti-LGBTQ+ message pushed around the world
~ https://www.theguardian.com/world/2023/jul/09/us-religious-r...
This statistic makes the exact opposite of the point you're trying to make, though.
Going through this table[0], and provided I didn't make any dumb mistakes with my JS, there's 122 Christian majority countries, but only 54 countries are Muslim majority. So 33 out 54 Muslim majority countries have anti-gay laws, compared to only 29 out of 122 Christian majority countries with such laws. (The more interesting comparison would perhaps be counting number of people rather than countries, though, and it still says nothing of the severity of said laws).
0. https://en.wikipedia.org/wiki/Religions_by_country#2020_Pew_...
I know it's some sort of "trustworthiness" but that is objectively complete bs.
https://www.theguardian.com/us-news/2023/nov/06/speaker-mike...
In other words, privacy rights isn't about hiding secrets but safeguarding your own personal identity. You are of course right that if we change our own perspective about our own personal identity and behaviour, we can certainly become more comfortable with ourselves. And that can foster political changes too.
Imagine you are turned on by eating shit or being peed on - would you still feel so comfortable sharing g details about your sex life?
And of course, the wide spectrum in between
You're also lucky to live somewhere where you wouldn't face job loss, familial estrangement or even anything up to capital punishment for it.
The amount and variety of free porn is already enormous.
I live in one of those states. Most porn sites just ignore the law completely and the rest you can use a VPN.
* I know who you did last summer
* I know who you did last, Summer
* no fault divorce laws near me
I always teach companies to treat user information as somewhat toxic (i.e. a liability). Search and view history... it doesn't get much more personal than this.