A hacker is selling a 340M-strong OnlyFans-linked dataset built by correlating old breaches and public data, not by hacking OnlyFans directly.
A threat actor is adverertising a purported database containing data of 340 million OnlyFans users, but the available evidence points to something less dramatic than a direct breach. According to HackRead, which reported the news, the collection appears to have been assembled by blending old leak data with public profile information rather than by breaking into OnlyFans itself.
The listing surfaced on a popular cybercrime forum earlier this week, where the seller, using the alias “Euphoric_Reply_5727,” claimed to have “340 Million User Records.”
“The listing appeared earlier this week on a well-known cybercrime forum, where a user operating under the alias “Euphoric_Reply_5727” offered what they described as “340 Million User Records” linked to OnlyFans users.” reads the report published by HackRead. “The seller priced the database at 0.313 BTC, roughly $76,000 at the time of writing.”
In the post, the actor described the material as coming from internal OnlyFans systems and said it included personal details, account activity, and payment-related fields.
That framing changed after direct messaging with the seller. In private conversation, the actor confirmed they “didn’t breach or hack OnlyFans” and instead used “existing breaches and leaks databases and matched with users of the OnlyFans platform.” In other words, the value of the dataset seems to come from correlation, not intrusion.
The sample records shared with researchers paint a clearer picture. They appear to be a flat, text-based compilation with usernames, email addresses, phone numbers, join dates, follower counts, likes, uploaded content metrics, linked social profiles, and account type. Some entries also include a field labeled “card,” which the seller says refers to the last four digits of a payment card.
A closer look at the samples raises questions about quality and provenance. Several entries contain placeholders like “None,” and some fields reflect information that would already be visible on public profiles. The formatting also looks more like stitched-together identity data than a clean export from a modern platform database.
Still, the samples do seem to include real accounts. A review of the shared material found that several usernames and associated details matched public OnlyFans profiles. That does not prove the whole database is authentic, but it does suggest the seller was able to anchor at least part of the collection to real accounts.
One unresolved issue is the payment card claim. The “card” field may contain the last four digits of a linked payment method, but there is no independent confirmation that the data is genuine. It may be recycled from older leaks or simply added to make the offer look more valuable.
Even if the data is stitched together from multiple sources, the privacy risk is real. Combining usernames, emails, phone numbers, and social handles can help attackers build convincing phishing campaigns, enable stalking or impersonation, and support blackmail or harassment attempts.
“The incident also shows a growing underground trend where threat actors combine old breach data with publicly accessible information to build searchable identity databases.” concludes the report. “In many cases, the value comes less from stolen passwords and more from linking online personas to real-world identities.”
For now, the dataset remains on sale, and OnlyFans has been contacted for comment.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, data leak)