A threat actor is advertising what they describe as a massive database containing information allegedly linked to approximately 340 million OnlyFans creator and subscriber accounts. However, available evidence suggests the dataset may not originate from a direct compromise of OnlyFans systems.
The listing surfaced on a cybercrime forum in late May and claimed to contain usernames, email addresses, account metrics, linked social profiles, and partial payment-related information allegedly tied to OnlyFans users.
OnlyFans has publicly denied the claims, calling reports of a platform breach “false.”
Subsequent reporting and sample analysis appear to indicate the database may instead be a large aggregation of previously leaked information, scraped public profiles, and breached records collected from unrelated platforms rather than data directly extracted from OnlyFans infrastructure.
Threat actor reportedly denied breaching OnlyFans
According to reports reviewing communications with the seller, the actor allegedly admitted the dataset was compiled using existing breach collections and publicly accessible information tied to OnlyFans accounts rather than obtained through direct unauthorized access to the platform itself.
The alleged database reportedly includes fields such as usernames, follower counts, likes, join dates, social media profiles, and email addresses associated with creators and subscribers.
Researchers reviewing the sample data noted inconsistencies with how modern production databases are typically structured internally. Some records reportedly contained incomplete values, placeholder entries, and publicly visible profile metrics that could potentially be gathered through aggregation and correlation techniques rather than internal database access.
The threat actor also allegedly claimed the dataset included payment card-related information. However, available reporting indicates those claims remain unverified.
Cross-platform profiling remains a real privacy risk
Even if the database was not obtained through a direct OnlyFans breach, large-scale identity correlation datasets can still create substantial privacy and security risks for affected individuals.
Threat actors increasingly combine older breach data, scraped public information, and account identifiers from multiple services to build searchable identity databases capable of linking usernames, email addresses, social media accounts, and other personal details across platforms.
For platforms like OnlyFans, where many creators and subscribers rely heavily on pseudonymity and separation between online identities and real-world information, those aggregation techniques can create elevated risks involving harassment, phishing, impersonation, stalking, blackmail attempts, and targeted social engineering.
The alleged leak also highlights a growing underground trend where cybercriminals market aggregated “mega databases” built from recycled breach collections and open-source intelligence rather than newly compromised systems.
BreachNews previously reported on several recent large-scale identity and platform-related breach claims, including the alleged Vimeo compromise tied to third-party platform access and the alleged GeForce Now user database sale claimed by ShinyHunters.
At time of publication, there is no public evidence confirming a direct compromise of OnlyFans infrastructure.
