OnlyFans Denies 340‑Million‑User Data Leak as Seller Claims Data Compiled From Old Breaches

The listing appeared on a known cybercrime forum under the alias “Euphoric_Reply_5727”. The actor advertised usernames, emails, phone numbers, follower counts, likes, content stats, linked social profiles, and the last four digits of payment cards. The price was set at 0.313 BTC, about $76,000 at the time.

- The seller told Hackread.com via Telegram that they did not hack OnlyFans and built the database by matching older breach data from platforms such as Twitter, Instagram, and Spotify with OnlyFans usernames. - OnlyFans responded to Hackread.com, stating the reports of a 340‑million‑user leak are false. - Sample data reviewed by Hackread.com contained incomplete records, placeholder values, and publicly visible metrics; some usernames matched real OnlyFans accounts, but associated email addresses did not trigger registration warnings on the platform. - The “card” field claiming to hold the last four digits of payment cards remains unverified.

Even if the data did not come from a direct OnlyFans breach, aggregating personal details from multiple sources enables credential stuffing, phishing, blackmail, and stalking. The incident highlights a growing underground practice of stitching together old leaks and public info to create searchable identity databases, increasing the risk of account takeover and reputational harm for creators and subscribers.

- Enable multi‑factor authentication on all accounts that support it, especially for creators and high‑value subscribers. - Monitor credential reuse using breach‑notification services and force password resets when matches are found. - Implement rate limiting and CAPTCHA on login endpoints to thwart automated credential‑stuffing attempts (MITRE ATT&CK T1078 – Valid Accounts). - Deploy dark‑web monitoring alerts for mentions of your brand or user identifiers to detect early leaks. - Educate users about recognizing phishing attempts that may use leaked personal details to appear legitimate. - Review and update password policies to require unique, complex passwords and discourage reuse across services.