Data Aggregator Sells 340 Million OnlyFans User Records Compiled from Prior Leaks
What Happened — A threat actor advertised a database claiming to contain 340 million records tied to OnlyFans users. The dataset was not obtained by breaching OnlyFans; instead it was assembled by correlating historic breach dumps and publicly‑available profile information.
Why It Matters for TPRM —
- Even without a direct compromise, third‑party data can be reconstructed and sold, exposing personal and payment details of a platform’s users.
- The presence of payment‑card fragments (last four digits) raises PCI‑related liability concerns for any downstream services that process or store such data.
- Vendors that host or integrate with user‑generated content platforms must assess the risk of indirect data exposure through third‑party leak aggregation.
Who Is Affected — Adult‑content platforms, subscription‑based content services, payment processors, and any downstream partners that rely on OnlyFans‑derived data.
Recommended Actions —
- Verify that your organization does not ingest or store any of the disclosed fields (email, phone, payment‑card fragments) from unverified sources.
- Review contracts with content‑hosting vendors for clauses covering indirect data leakage and third‑party breach notification.
- Conduct a data‑minimization audit to ensure only necessary personal data is retained, and enforce strong encryption for any payment‑related fields.
Technical Notes — The collection appears to be a flat text file containing usernames, email addresses, phone numbers, join dates, follower counts, likes, content metrics, linked social profiles, and a “card” field with the last four digits of a payment card. Sample records show placeholders and publicly‑visible information, indicating a stitched‑together dataset rather than a clean export from the platform’s internal database. Source: Security Affairs