OnlyFans: 340M User Records Allegedly for Sale on Leak Forum

Threat actors on a popular data leak forum are claiming to sell a database containing approximately 340 million OnlyFans user records, allegedly scraped from internal company databases. If verified, the dump would expose the identities of creators and subscribers on a platform where anonymity is a core user expectation. As of publication, OnlyFans has not confirmed the breach, and Cybernews researchers were only able to review a 10-record sample provided by the seller.

What Happened

A listing surfaced on a well-known underground forum advertising "exclusive access" to what the seller describes as an internal OnlyFans database dump. The post claims roughly 350 million records covering both fan and creator accounts, with detailed personally identifiable information and engagement metrics. The seller frames the dataset as a fresh internal exfiltration, though analysts note the data may instead be a compilation drawn from prior OnlyFans-adjacent leaks, public scraping, and credentials harvested from unrelated breaches. Cybernews has contacted OnlyFans for comment and the platform had not responded at press time.

What Was Taken

According to the threat actor's listing, the dataset includes:

• Usernames and user IDs
• Email addresses
• Account join dates
• Follower, like, picture, video, and stream counts
• Payment card data
• Linked external social profiles

The 10-record sample reviewed by Cybernews contained user IDs, usernames, email addresses, and registration data. Fields for phone numbers, account flags, and linked accounts were empty in the sample, and the records appear to date from around August 2024, suggesting the dataset may not reflect the platform's current state.

Why It Matters

OnlyFans hosts more than 4.5 million creators and nearly 380 million registered users, many of whom rely on the platform's pseudonymity to separate adult content work from their offline identities. Even partial exposure of email-to-username mappings can be catastrophic for affected users: doxxing, sextortion, targeted harassment, employer retaliation, and family fallout are all realistic downstream outcomes. Email addresses also serve as pivot points for cross-referencing other breached datasets, enabling threat actors to build rich profiles of high-value targets for spear phishing, account takeover, and blackmail campaigns. For OnlyFans itself, the reputational damage of an unconfirmed-but-plausible mega leak can erode creator trust regardless of whether the data was sourced internally.

The Attack Technique

The intrusion vector, if any, remains unconfirmed. The seller's claim of an "internal database dump" is unverified, and the structure of the sample, paired with the dated 2024 records, is consistent with a compiled or scraped dataset rather than a live exfiltration. OnlyFans data has appeared in underground markets before, often sourced from creator account takeovers, scraping of public profile metadata, infostealer logs harvesting browser-stored sessions, and credential stuffing against reused passwords. Compilation listings of this scale are a common monetization tactic where attackers aggregate older leaks and rebrand them as fresh internal breaches to attract buyers.

What Organizations Should Do

1. Treat the listing as plausible until disproven. Platforms with adjacent user bases or shared identity surfaces should monitor for credential stuffing attempts using emails that may appear in the dump.
2. Force password resets and enable MFA for at-risk accounts. Any service where users may have reused an OnlyFans password should consider proactive resets and step-up authentication.
3. Deploy infostealer log monitoring. Subscribe to services that track stealer-log marketplaces and alert on corporate or high-value personal email addresses appearing in fresh logs.
4. Brief executives and high-risk staff on sextortion risk. Email-and-username exposure tied to adult platforms is a known precursor to extortion campaigns; security awareness teams should pre-empt this with clear reporting channels.
5. Validate the sample before reacting publicly. Threat intel teams should obtain and verify the sample data against known breach corpora to determine whether this is a true internal compromise or a compilation.
6. Prepare doxxing response playbooks. Organizations whose employees may be exposed should ensure HR, legal, and security have a coordinated process for handling personal disclosure incidents.

Sources: OnlyFans mega leak reveals 340M user records, hackers claim | Cybernews