OnlyFans Refutes Claims of 340 Million Record Sale

Context A user known as “Euphoric_Reply_5727” posted on a major underground market offering a file described as “340 Million User Records” tied to OnlyFans accounts. The listing priced the collection at 0.313 BTC, roughly $76 000. Initial impressions suggested a massive breach of OnlyFans’ internal systems.

Key Facts - The seller told investigators on Telegram that no intrusion of OnlyFans occurred. Instead, the dataset was built by cross‑referencing information from previous leaks of platforms such as Twitter, Instagram and Spotify with publicly visible OnlyFans profiles. - Sample excerpts show a flat‑text file containing usernames, email addresses, phone numbers, join dates, follower counts, likes, content statistics, linked social profiles and a field labeled “card” that purportedly holds the last four digits of a payment card. - Review of the samples confirmed that several usernames matched active OnlyFans profiles, but email verification could not be completed without direct access to OnlyFans’ registration system. - The “card” field could not be independently validated; it may be recycled from older leaks or fabricated to increase perceived value. - OnlyFans issued a brief statement calling the reports “false” and provided no further details.

What It Means The episode illustrates a growing underground practice: aggregating fragmented breach data to create large identity‑linkage databases. While the collection lacks passwords or confirmed payment details, it still enables phishing, impersonation, and targeted harassment by correlating usernames, emails, phone numbers and social media handles. Security teams should treat any publicly released linkage data as a credential‑reuse risk and monitor for suspicious outreach to affected individuals.

Mitigations - Enforce multi‑factor authentication for all creator and subscriber accounts to reduce impact of credential‑stuffing attacks. - Deploy email‑domain monitoring to detect if known breached addresses appear in outbound phishing attempts. - Encourage users to review and update recovery contact information regularly. - Apply rate‑limiting and anomaly detection on login endpoints to flag credential‑reuse patterns. - Share threat‑intel indicators, such as the seller’s alias and sample file hashes, with industry ISACs (Information Sharing and Analysis Centers) to improve collective detection.

What to Watch – Keep an eye on underground forums for similar aggregated datasets targeting other subscription platforms, and monitor any follow‑up statements from OnlyFans regarding internal investigations.