Analytics provider: We didn't expose smut site data to crims

An employee of the adult site could be responsible.

Analytics vendor Mixpanel says it is not the source of data stolen from Pornhub and says the info was last accessed by an employee of the adult site.

"Mixpanel is aware of reports that Pornhub has been extorted with data that was allegedly stolen from us," a Mixpanel spokesperson told The Register. "We can find no indication that this data was stolen from Mixpanel during our November 2025 security incident or otherwise."

Mixpanel's statement follows an earlier alert from Pornhub blaming the analytics provider for the security incident.

"The data was last accessed by a legitimate employee account at Pornhub's parent company in 2023," the Mixpanel spokesperson continued. "If this data is in the hands of an unauthorized party, we do not believe that is the result of a security incident at Mixpanel."

An Aylo spokesperson declined to answer The Register's questions about the breach. "We stand by our statement," the spokesperson said, adding that it the company will share updates as additional information becomes available.

Last month, Mixpanel disclosed a "smishing campaign" that it detected on November 8 and that affected some OpenAI customers.

Smishing, which combines phishing and SMS messages, is a social engineering scam frequently used by ShinyHunters and its larger cybercrime collective Scattered Lapsus$ Hunters to acquire employee credentials, bypass multi-factor authentication, and gain initial access to corporate systems.

Data extortion crew ShinyHunters, when contacted by The Register, claimed responsibility for the stolen Pornhub analytics data and said it includes users' search and video-watching histories. ShinyHunters would not, however, say how or when they obtained the data.

In a December 12 notice to users, Pornhub said the breach involved "select Premium users'" data and pinned the blame on Mixpanel:

The incident occurred within our analytics vendor Mixpanel's environment and involved a limited set of analytics events for some users. This was not a breach of Pornhub Premium's systems. No passwords, credentials, payment details or government IDs were compromised or exposed. Like Google, ChatGPT and others who were compromised as a part of the same attack, Mixpanel informed us of this breach.

A Google spokesperson told us "there’s no indication of impact to Google." In a Tuesday update, however, the adult content site removed its earlier mentions of Google and ChatGPT:

We recently learned that an unauthorized party gained unauthorized access to analytics data stored with Mixpanel, a third-party data analytics service provider. The unauthorized party was able to use this unauthorized access to extract a limited set of analytics events for some users. This was not a breach of Pornhub Premium's systems. No passwords, credentials, payment details or government IDs were compromised or exposed and we have since secured the affected account and stopped the unauthorized access.

The last line about "securing the affected account and stopping the unauthorized access" seems to line up with Mixpanel's allegation about the stolen data being last accessed by a Pornhub parent company employee – and then either obtained by ShinyHunters via phishing or from a disgruntled employee, along the lines of what happened with CrowdStrike last month.

In November, CrowdStrike confirmed that it had fired a "suspicious insider" who shared screenshots of internal systems with Scattered Lapsus$ Hunters.

A source with knowledge of the Pornhub incident told The Register that "the structure of the exfiltrated data is consistent with a regular data export." ®