S7, E272 - They Know What You Watched

Show Notes

SHOW NOTES 

The Pornhub breach is being reported as a data story. It's actually a story about shame as a weapon.

In December 2025, a hacker group called ShinyHunters claimed to have stolen 200 million records from Pornhub Premium users — including email addresses, locations, and intimate watch and search history. They sent extortion demands. The data was verified as real.

In this episode of Privacy Please, Cameron Ivey breaks down:

✅ What was actually stolen — and why it's worse than most breaches ✅ The three-way blame game between Pornhub, Mixpanel, and a mysterious 2023 employee access ✅ Why ShinyHunters is one of the most dangerous and active hacker groups operating right now ✅ The bigger question nobody's asking: why does this data still exist? ✅ Five things you can do right now to protect yourself

🔗 RESOURCES MENTIONED:

• Check your email in breaches: haveibeenpwned.com
• Freeze your credit: annualcreditreport.com (links to all three bureaus)
• Data removal: DeleteMe — joindeleteme.com
• Follow the reporting: bleepingcomputer.com | malwarebytes.com/blog

📰 SOURCE REPORTING:

• BleepingComputer — ShinyHunters extortion demand (December 2025)
• Malwarebytes — Pornhub/Mixpanel/SoundCloud breach roundup
• Euronews — Pornhub investigation coverage
• Reuters — user data verification
• Panda Security — breach overview

🎙️ Privacy Please is part of the Problem Lounge Network 🌐 theproblemlounge.com 📺 YouTube: The Problem Lounge Network

If this one hit different — share it. 

Chapters

• 0:01: The Extortion Email Scenario
• 3:24: Shiny Hunters Targets Pornhub
• 4:53: What The Leaked Data Reveals
• 6:10: Mixpanel Blame And The Unanswered Gap
• 8:17: Why Behavioral Data Still Exists
• 8:46: The Supply Chain Attack Playbook
• 11:42: Blackmail Risk And Human Harm
• 13:00: Steps To Protect Yourself Now
• 15:55: Final Thoughts And Where To Follow

Transcript

The Extortion Email Scenario

SPEAKER_00 0:01

Imagine waking up one morning and getting an email. Not from your bank, not from your job, not from anyone you know, but from a hacker. And the email says, We have your search history, we have your watch history, we know your email address, your location, and exactly what you were doing. And when. So you better pay up. Or we publish everything. Now imagine that email going out to 200 million people. That's not a hypothetical, that's actually what happened. In December of 2025, and most people don't know about it. Here's the part that makes this story different from every other data breach that you've heard about. It wasn't credit card numbers, it wasn't social security numbers, it wasn't your home address. It was your behavior. Your private behavior. The kind most people would never tell another living soul. And somewhere right now, there are people sitting on that data. Deciding what to do with it. This is privacy, please. Let's get into it. Not because it's too sensitive, but because I wanted to make sure we could do it right. Because this isn't just a data breach. This is a story about shame as a weapon, about the data that companies collect on all of us that you probably didn't even think about. And this is about a hacker group that has been quietly terrorizing some of the biggest companies in the world. And they're getting a lot better at it, too. You're gonna probably recognize this name if you've been listening to the show the last couple of weeks, but I'll get into that later. This is one of those episodes where I need you to stay with me through the whole thing because the layer that most people missed on this story that's where the real conversation is. Right? So, anyways, quick note before we jump in Privacy Please is a part of the Problem Lunge Network. If you've not been there before, head over to the problemlounge.com, check out our website, everything is there that you need. Subscribe, we really need your help getting all of these out as we put a lot of work into this and really appreciate it. The more people it gets to, the more you share, the more you subscribe, the more that helps the channel. So really appreciate it. Let's go ahead and dig right in. Shall we? Seriously, sit back. Let's get into

Shiny Hunters Targets Pornhub

SPEAKER_00 3:24

it. So let me set the scene for you. December 2025, a hacker group called Shiny Hunters contacts a company and they say, We have your data. Pay us in Bitcoin, or we release all of it. The company they contacted was Pornhub. I'm sure everybody's pretty familiar with that. Now, I know that name makes some people tune out immediately. Stay with me, please. Because the company matters less than what the data is. And what the data is, is the entire point of this episode. It's always about the data. So Shiny Hunters claimed they had 94 gigs of data, 200 million records, and they shared a sample with journalists at Bleeping Computer, a legitimate cybersecurity news outlet, to prove it was real. What was in that sample is the question. Well, email addresses, locations, the specific videos people watched, the names of those videos, the keywords people searched for, the exact timestamp of when it happened, routers reached out to actual users whose data appeared in the sample. Those users confirmed it. The data was accurate, it was real, it was theirs. So right away we have a problem. A very specific, very intimate kind of problem. Now here's where the story gets pretty interesting.

What The Leaked Data Reveals

SPEAKER_00 4:53

Because Pornhub didn't just say, we got hacked. They said something much more specific and much more telling. They said this wasn't a breach of our systems. They pointed the finger at a third-party analytics group called MixPanel. MixPanel had been hit in November of 2025. A smishing attack, which is SMS phishing, meaning someone got a text message that looked legitimate, clicked on something they shouldn't have, and gave hackers access to mixed panel systems. So Pornhub's explanation was mixed panel got hit, our old data was sitting there, and that's where it came from, not from us. So mixed panel fired back almost immediately. They said, We looked at our breach. We don't believe this data came from our November incident. We found no evidence of it. And then they said something that stopped me cold when I read it. They said the data was last accessed by a legitimate employee account in 2023 at Pornhub's parent company. So now we have a third possibility. This data didn't come from MixedPanel's breach. It might have come from somewhere inside or you know adjacent

Mixpanel Blame And The Unanswered Gap

SPEAKER_00 6:10

to Pornhub's own organization. And Pornhub's response to all of this, we stopped working with MixedPanel in 2021. So the data's old, outdated, probably from several years ago, which, okay, sure, but that's a huge red flag. 2021? Why do you still have that data out there? If you stopped working with this company in 2021, why did your parent company's employee account access that data in 2023? Nobody's answered that question, and most of the coverage just moved on from it. Everyone is focused on where the data came from. Pornhub says mixed panel, mixed panel says not us. The investigation is ongoing. Fine. But here's the question that actually matters. Why does the data exist at all still? Think about what was in that breach. Video URLs, search keywords, timestamps, location data. This isn't account data. This isn't billing data. This is this is behavioral analytics. The kind of granular tracking that a company uses to understand exactly how you're using their platform so they can serve you better content, run better ads, make better product decisions. This is what MixPanel does. It's an analytics company. And Pornhub was feeding them that level of behavioral data on hundreds of millions of users and apparently storing it indefinitely because there's no laws to it. Here's what I'm getting at. Pornhub says they stopped working with MixPanel in 2021, but the data from that relationship, years worth of intimate behavioral data, was still sitting somewhere, still accessible, still real, still tied to the real email addresses and real people. There is no law in the United States that required Pornhub or MixPanel to delete it. There is no federal data minimization standard that says when the relationship ends, the data ends with it. Europe has GDPR, California has CCPA, but the average

Why Behavioral Data Still Exists

SPEAKER_00 8:17

American using a website, you are largely on your own. And that is the story. Not just that this breach happened, but that the conditions which made it possible. Companies holding intimate behavioral data on hundreds of millions of people for years after they need it. Those conditions are completely normal. This happens everywhere, all the time. Pornhub is just an example nobody wants to talk about out loud. Let's talk about who did this.

The Supply Chain Attack Playbook

SPEAKER_00 8:46

If you haven't been listening, Shiny Hunters has come up a couple times in some of my past episodes. But this isn't just a random kid in a basement, okay? When we first built this episode, they were already dangerous, but since December, they have been on an absolute tear. By March of 2026, they had claimed data from somewhere between 300 and 400 organizations. Let that number sit for a second. Three to four hundred companies in a matter of months. I think the last one they hit that I touched on was in education. And here's what's wild about the mixed panel breach specifically. Pornhub wasn't the only casualty. OpenAI confirmed that API addresses had data exposed in the same breach. SoundCloud disclosed that roughly 28 million records were affected in the same breach, same supply truck, different passengers. They've also hit ADT, the home security company claiming over 10 million records in April of 2026. Amtrak, Medtronic, which is a medical device manufacturer. And just this month, Canvas, the one that I was talking about, the learning platform used by schools and universities across the country, they threatened to leak student data unless institutions paid up. Think about that progression for a second. Adult platform, tech companies, home security, trains, medical devices, schools. They're not slowing down. They are escalating. And they are deliberately targeting the vendors and platforms that hold data on the most people because that's where the leverage is. In 2025 alone, they were behind breaches at companies using Salesforce, Oracle, GainSight, Mixed Panel. They're linked to an Oracle zero-day exploit, meaning a vulnerability that was unknown and unpatched. They're reportedly building their own ransomware as a service platform called Shiny Spider, and they're connected to the same network of actors behind the scattered spider attacks. These are sophisticated, organized, financially motivated criminals. And they specifically go after the supply chain, the analytics vendor, the CRM platforms, the middleware that big companies plug into and then forget about. That is the playbook. Don't hit the fortress, hit the supply truck, hit the middleman. And it works over and over and over and over again. Keeps working. Because companies integrate these third-party tools, share their most sensitive data, and then have almost no visibility into what those vendors do with it. The question is no longer if a vendor you trusted gets hit. It's which one and when.

Blackmail Risk And Human Harm

SPEAKER_00 11:42

Your credit card gets stolen, you cancel the card. Your email is in a breach, you change your password. Annoying, stressful, but manageable. This one's a little different. Because the data that was stolen here isn't something you can change. You cannot unwatch something, you cannot unsearch something, you cannot retroactively make private things that you thought were private in the moment you did them. And the specific risk with this breach isn't identity theft. It's blackmail. Shiny Hunters didn't just threaten to sell the data to other hackers, they sent extortion demands directly to Pornhub. And the nature of this data, intimate, embarrassing, the kind of thing that could end marriages, cost people jobs, out people in communities where their safety depends on staying closeted, is perfectly engineered for blackmail. It is. That is not a hypothetical, that is the stated intent. If you were someone whose data was in this breach, and remember, rooters verified with real users that the data is accurate. You may never get an email, you may never know, or you might. And that uncertainty is in its own kind of harm.

Steps To Protect Yourself Now

SPEAKER_00 13:00

Alright, I'm not going to leave you in the dark if you're wondering. Um, and if you're curious, here's what you can actually do right now, today. Because I know some of you listening were probably affected by this and didn't even know about it. The first thing, find out if your email address was exposed. Go to haveibenpwned.com. It's free. Type in your email address, it will tell you every known breach your email has appeared in. If you show up in anything Pornhub MixPanel related, take the next steps really seriously. Second thing, if you had a Pornhub account, change the email associated with it, not just the password. Because the email address is what ties everything else together and makes you findable. The third thing, freeze your credit. I've said this in the last couple ones, just do it. I know this isn't a financial breach, but when breach data gets sold or cross-referenced with other leaks, financial fraud often follows. So go to Experion, TransUnion, Equifax. I'm not a sponsor, they're not a sponsor of the show. If you guys want to be and you're listening, I'd love to be a sponsor of the show. Freeze it, it's free, it takes a couple minutes, get it done. Four, be extremely suspicious of any emails that get references to Pornhub, MixPanel, or your account phishing attacks always spike after major breaches. So if you get something that looks like an official notice or, you know, just don't click anything. Go directly to the source. Five, this one's big. Start paying attention to what data you're handing to platforms. Every account you create, every app you install, every accept all cookies that you click, that data doesn't disappear when you close that tab. It sits somewhere. And sometimes it sits for years after you've moved on. You don't have to be perfect, like none of us are, right? But you can start being intentional. Start being intentional. The people most at risk from this breach are the people least likely to come forward. Let's be honest. Because coming forward means admitting that you were on the platform. And for a lot of people, depending on where they live, what their family looks like, and what their community looks like, that admission carries its own major consequences. So the harm here is almost invisible. It happens in private, in quiet conversations, in decisions people make about their safety. That's what makes this kind of breach different. And that's what makes the question of data retention, why companies hold this stuff for years, who owns it, who's responsible for it when it leaks, that's what makes it genuinely urgent. Not just a privacy issue. It's a human one. We'll

Final Thoughts And Where To Follow

SPEAKER_00 15:55

keep watching this one. And if you're someone this episode hit close to home, you're not alone. And you're not stupid for knowing this was possible. None of us signed up for this. It's just the way it is. But I really appreciate you guys tuning in to Privacy Please. Thank you so much for listening. I hope this was insightful. If you enjoyed these episodes, let me know. Hit the like, share it, subscribe, whatever. We really appreciate the support. And again, go to the problemlounge.com, and we'll see you guys on the next one. Cameron Ivy over and out.