A threat actor operating under the alias Euphoric_Reply_5727 is selling what they describe as a 340-million-record database of OnlyFans user data on a cybercrime forum, priced at 0.313 BTC (approximately $76,000). The listing went viral on X on May 24, 2026, generating over 2.3 million views under posts claiming "OnlyFans is Hacked." However, the seller privately told Hackread that no breach of OnlyFans systems occurred. OnlyFans has since described the reports as false.
What the Seller Actually Claimed
The forum listing, framed as an "internal OnlyFans database dump," describes a dataset covering both fan and creator accounts with fields including usernames, email addresses, phone numbers, account creation dates, follower and subscriber counts, content metrics, linked social media profiles, and partial payment card metadata (last four digits only). The listing was priced as a single exclusive sale at 0.313 BTC.
When contacted directly via Telegram by Hackread researchers, the seller stated: "We didn't breach or hack OnlyFans. We used existing breaches and leak databases and matched them with users of the OnlyFans platform." The database is therefore assessed as a credential correlation dataset: a compilation built by cross-referencing historical breach data with publicly accessible OnlyFans profile information, not a product of unauthorized access to OnlyFans infrastructure.
Technical Indicators Against a Genuine Breach
Independent review of the listing by Cybernews found that sample records appear to date from approximately August 2025, inconsistent with a recent intrusion. Separately, technical analysis of the advertised field schema noted that columns such as streams_count and likes_count resemble frontend API response attributes rather than backend database column names, making origin from an internal server dump unlikely. The 340 million figure itself has been questioned, with at least one researcher assessing it may have been drawn from third-party marketing data rather than an actual row count. As noted by The Deep Dive, the viral framing of this incident is a representative example of how a recycled-data listing can be repackaged to suggest a live platform breach and generate significant media amplification.
OnlyFans Response
In a statement provided to Hackread, OnlyFans described the breach reports as "false" but offered no further elaboration on the specific claims or the dataset in question. No additional official statement has been issued as of the time of writing.
Residual Risk for Users
The absence of a direct platform breach does not eliminate risk for OnlyFans users. A compiled dataset of this kind, combining historical breach data with platform-specific profile attributes, carries meaningful secondary exposure:
- Identity linkage: Cross-referencing email addresses and usernames with other breach databases can de-anonymize users who maintain separate identities on OnlyFans, a platform where many creators and subscribers specifically value pseudonymity.
- Targeted phishing: Email addresses combined with platform membership status and creator or fan role allow for highly targeted lures, including extortion-themed messages.
- Credential stuffing: If passwords from the underlying historical breaches are included in the compiled data, accounts on OnlyFans and other platforms where credentials were reused remain at risk.
Users who receive unsolicited contact referencing their OnlyFans activity should treat it as a social engineering attempt and not engage. Password rotation and enabling two-factor authentication on OnlyFans accounts are advisable precautions regardless of the dataset's ultimate origin.
Assessment
Based on the seller's direct admission, technical analysis of the schema, the August 2025 data vintage, and OnlyFans' denial, IntelFusions assesses with high confidence that no direct breach of OnlyFans infrastructure occurred. The listing is consistent with the established underground practice of aggregating historical breach data and public scrapes into platform-specific identity databases, which are then marketed using breach-adjacent language to inflate perceived value. The incident is primarily notable as a high-visibility example of how unverified forum listings propagate as confirmed breaches through social media amplification. At time of writing, the listing remains active on the forum.
This article is published for threat intelligence purposes. IntelFusions is not affiliated with any threat actor group. Claims described herein have not been independently verified unless explicitly stated. Primary sources: Hackread, Cybernews, IBTimes UK.