Alleged OnlyFans data leak goes viral, but there’s no proof of a platform breach

Claims of a massive OnlyFans data leak are blowing up on X, with a post alleging that 340 million records tied to creators and subscribers are now up for sale. But from what I was able to deduce, there is still no solid evidence that OnlyFans itself was hacked.

The viral post points to a dataset that supposedly includes usernames, email addresses, phone numbers, profile metrics, linked social accounts, and even partial card metadata. That sounds pretty bad on paper, especially because the listing reportedly puts the data at 0.313 BTC, or roughly $76,000.

The problem is that the breach narrative starts to fall apart once you get past the initial claim. According to Hackread’s report, the seller allegedly told the publication they did not hack or breach OnlyFans at all, and instead built the database by matching old leaked data with public information tied to OnlyFans users. 

They even shared a screenshot of the data they had:

That is a very different story from “OnlyFans was hacked.” It suggests this may be a stitched-together identity database rather than a direct platform compromise, which is still concerning, just not in the way the viral posts make it sound.

Hackread says it reviewed sample records and found incomplete entries, placeholder values like “None,” and data fields that looked more like a flat text collection than something pulled straight from a modern production database. The outlet also said some usernames in the sample matched real public OnlyFans accounts, but it could not verify key details such as the claimed payment card metadata.

Security researcher Troy Hunt also publicly questioned the claim, saying the supposed “scrape” angle does not neatly line up with the kinds of data being advertised, unless OnlyFans were exposing personal information through public endpoints.

That still does not prove the listing is fake, but it does make the “complete database” claim harder to take at face value right now.

Still, the risk for regular users isn’t exactly negligible. A database, even an old one, that links usernames, emails, phone numbers, and social profiles could be used for phishing, blackmail, harassment, or plain old doxxing.

But again, further digging from others indicates that the data might simply be AI-generated slop. 

So this is going to be worth keeping track of in the coming days. But as with the recent GitHub internal repository breach case we covered, there is a difference between a serious claim and a confirmed platform breach.

At the time of writing, Hackread said the dataset was still being offered for sale and that it had reached out to OnlyFans for comment. For now, we wait and see how the situation unfolds.

I’d take the claims with a grain of salt. All current evidence points towards this likely being a scheme by the seller to make a quick buck off unusable/fabricated data.

Featured image generated with AI

We stand out from the tech-media crowd because we break news stories; we mainly bring you stuff that you won’t find anywhere in the mainstream tech media. Our stories have been picked up by some of the world’s most popular websites and media outlets—more info is available here.