340M OnlyFans User Records Leaked and Put Up for Sale
What Happened — A hacker advertised a database containing approximately 340 million records from the OnlyFans platform, claiming the data combines old leaks and publicly scraped information to map creators and subscribers to real‑world identities. The dataset is now listed for sale on underground forums.
Why It Matters for TPRM —
- Exposure of personal and financial details can lead to extortion, fraud, and reputational damage for both creators and subscribers.
- Third‑party risk managers must assess the security posture of subscription‑based SaaS vendors handling sensitive user data.
- Large‑scale data leaks increase the likelihood of downstream attacks against partner organizations that integrate with the platform.
Who Is Affected — Adult‑content creators, subscribers, and any downstream services (payment processors, marketing partners) that rely on OnlyFans data.
Recommended Actions —
- Review contractual security clauses with OnlyFans or any similar content‑hosting SaaS providers.
- Verify that the vendor employs strong credential hygiene, MFA, and continuous monitoring.
- Conduct a risk assessment for any internal processes that ingest or store OnlyFans user data.
Technical Notes — The leak appears to be a result of credential compromise combined with aggregation of previously public dumps. No specific CVE was cited. Exposed data includes usernames, email addresses, payment details, and real‑world identity mappings. Source: TechRepublic Security