Sophie Rain
She officially launched her OnlyFans account in May 2023. Instagram/sophieraiin

A threat actor is selling what they claim is a 340-million-record OnlyFans database on a cybercrime forum, but the seller privately admitted they never hacked the platform.

The listing, priced at 0.313 BTC, approximately £60,000 ($76,000), appeared earlier this week on a popular data leak forum and went viral on X within hours.

According to Hackread, which contacted the seller directly via Telegram, the person operating under the alias 'Euphoric_Reply_5727' confirmed that the database was not pulled from OnlyFans systems but was instead assembled by cross-referencing old breach datasets and publicly available profile data.

Cybernews also reviewed the listing and noted that sample records appear to date from around August 2025, suggesting the underlying data is not recent.

What the Listing Claims and What the Seller Said

The forum post advertised the database as containing records scraped from 'internal OnlyFans databases,' listing data fields including usernames, full names, email addresses, phone numbers, follower counts, uploaded content statistics, join dates, linked social media profiles, and a field labelled 'card,' described as the last four digits of a payment card associated with each account. The framing was designed to suggest a direct breach of the platform.

That framing collapsed when Hackread reached the seller. 'We didn't breach or hack OnlyFans,' the seller stated in a Telegram message shared with Hackread. 'We used existing breaches and leaks databases and matched with users of the OnlyFans platform.' The sources cited by the seller included previously compromised data from platforms such as Twitter, Instagram, and Spotify.

The distinction carries weight. A direct breach of OnlyFans would mean the company's own servers were compromised. A stitched-together database, by contrast, means the seller took old credential dumps and public profile data from elsewhere, then matched those records to known OnlyFans accounts.

The result is still a searchable identity database, but the responsibility and the risk profile are different.

Sample Data Raises Questions About Authenticity

Hackread reviewed sample records shared by the seller. The data appeared as a flat text collection with fields matching the advertised description. However, the publication noted several irregularities: entries included placeholder values such as 'None'; records were incomplete; and the formatting did not resemble how a modern consumer platform would store production database records internally.

The outlet independently verified that some usernames in the sample matched real, publicly accessible OnlyFans profiles. Attempts to verify associated email addresses, however, did not yield the confirmation needed to indicate registered accounts.

Data breach leak
A supposed OnlyFans database sale sparked widespread discussion across cybercrime forums and social media. Sora Shimazaki | Pexels

The payment card data also could not be authenticated; Hackread concluded it may be authentic, recycled from older leaks, or included simply to inflate the dataset's apparent value.

Security researcher Troy Hunt, founder of the breach-tracking service Have I Been Pwned, publicly questioned the claim on X, noting that the 'scrape' explanation did not align cleanly with the types of data being advertised, unless OnlyFans were exposing personal details through public-facing endpoints. Others on X, including the account IntCyberDigest, suggested the data may be AI-generated entirely, a claim that, as PiunikaWeb reported, has not been confirmed or ruled out.

Why the Exposure Risk Remains Real Regardless of Origin

OnlyFans occupies a platform where anonymity is not a preference but a practical necessity for many users. According to the company's fiscal 2024 annual report, the platform recorded 377.5 million fan accounts and 4.634 million creator accounts in the year ending 30 November 2024. Gross revenue reached $7.22 billion (£5.69 billion) for that period. Many of those users subscribe or create content under pseudonyms specifically to avoid linking their real-world identities to their activity on the site.

A database that links OnlyFans usernames to email addresses, phone numbers, and external social profiles, even if assembled from stale or public data, removes that protective separation. As Hackread noted, such a dataset creates direct exposure to phishing campaigns, blackmail attempts, stalking, and doxxing, regardless of how the records were obtained.

The incident also fits a documented pattern in underground markets. Threat actors increasingly build searchable identity databases by aggregating older breach data rather than targeting platforms directly. The commercial value lies less in stolen passwords, which change, and more in the ability to link online personas to real-world identities, which generally do not.

At the time of publication, the listing remained active on the forum. OnlyFans had not responded to requests for comment from Hackread or Cybernews.

For a platform whose entire business model rests on users trusting it with their most sensitive digital identities, a database that may link those identities to the real world, true breach or not, is a problem that does not need a smoking gun to cause lasting damage.

Writer's pick