The OnlyFans 340M 'leak,' explained for fans and creators

A story made the rounds this week: a hacker is selling 340 million OnlyFans user records on a cybercrime forum for 0.313 BTC, roughly $76,000. The listing went up under the alias "Euphoric_Reply_5727" and the database is around 35 GB. Most headlines you saw used the word "breach."

This is not an OnlyFans breach. The seller said so themselves, and three independent outlets that looked at the data agree. What it actually is, what it doesn't change, and what you should do about it — that's the version of this story worth reading.

I'm not a security researcher. I work on the platforms this story is about. This is the read I'd give another creator (or another fan) who emailed me asking what to do.

What's actually being sold

Per the seller's own forum post, the database wasn't pulled from OnlyFans' servers. It was assembled by cross-referencing already-leaked data from older Twitter, Instagram, and Spotify breaches against publicly visible OnlyFans profiles. Username, follower count, account age, linked socials — all of that's been readable on OnlyFans creator pages since day one. What the seller did was correlate those public fields with the matching email addresses and phone numbers from older breaches the security community has had for years.

The "card" field — described as the last four digits of a payment card — is unverified and almost certainly recycled from one of the older sources. The fields that look like internal database columns (streams_count, likes_count) are actually shaped like frontend API responses, not backend rows. That's a tell. Real platform breaches don't ship with the schema of someone's web client.

OnlyFans' official response was a single word: "false." They didn't elaborate. They were mostly right, in the narrow sense that no one breached their systems. The reason "mostly" matters is below.

Three outlets — Hackread, Cybernews, and IBTimes UK — independently looked at the sample data the seller posted. Cybernews ran ten of the user IDs in the sample against live OnlyFans accounts: all ten existed. But when they ran the matching email addresses through OnlyFans' registration flow, none of them triggered the "this email is already in use" warning. That's the signature of stitched-together data, not a real export.

Why it still matters

This is where the "compilation, not a breach" framing gets oversold.

The data in the compilation is real. The emails were really exposed in older breaches. The phone numbers really do tie back to people. The OnlyFans usernames really do map to those individuals. The fact that nobody had to break into OnlyFans to assemble it doesn't change what someone can now do with the file.

If you're a fan: the risk is targeted phishing. "OnlyFans security team here, your account was part of a recent leak, click here to verify" — landing in the inbox you actually used for your OnlyFans account, addressed to you by name. That's the exact pattern compilation files enable, and that's the wave that follows every one of these stories.

If you're a creator: the risk is bigger. The same data lets a stalker, an obsessive fan, or someone with a grudge correlate your stage name to the email you've been using since college, the phone number on your real driver's license, and every social handle you've ever attached to either. That's the doxing kit, pre-assembled. Most creators I know already assume that file exists somewhere. This week it just got cheaper to buy.

What fans should do

Three things, in order:

1. Assume the email you used on OnlyFans is in the file. If it's the same email you use for banking, work, or other sensitive accounts, change the OnlyFans email to one you only use for adult sites. Email aliasing services (SimpleLogin, Fastmail's send-as, Apple's Hide My Email) take about ten minutes to set up and solve this permanently going forward.
2. Turn on two-factor authentication on every adult platform account you have. Every major one supports it. Most fans don't bother. If a phisher gets your password from a future leak, 2FA is the difference between a scary email and a hijacked account.
3. Ignore unsolicited "security alerts" about the leak. Real platforms don't email you a link asking you to verify your account because of a breach. They make you log in normally and check from there. If you get one in the next month, delete it.

The thing not to do is panic-cancel everything. The compilation is bad. It is not "your card info is on the dark web" bad.

What creators should do

This is the part I spend more time on, because the risk profile is genuinely different on the creator side.

1. Audit what your stage name and your real identity have in common in public. Same phone number on both? Same email handle used in both worlds? Same profile photo cross-posted across personal and creator socials, where reverse image search will land on both? Most doxing isn't done by hackers; it's done by anyone with twenty minutes and Google. The compilation file just compresses the twenty minutes to one click.
2. Separate your platform email from your support email from your booking email. Three addresses, three jobs. Your platform-signup email is the one that ends up in compilations. Your booking inbox is the one you put on press kits. Your support email is what fans get. None of them should be the same as your personal Gmail.
3. Move your fans to channels you control. A mailing list (with the email they signed up with, not the one a third party scraped) is the channel that survives both platform-level outages and the next compilation leak. So is the SFW site you own. I went deeper on this in Why every adult creator needs their own website and Why I run my own site.
4. Know which platforms are most exposed. I did a side-by-side on what trickles in from breaches and processor changes in OnlyFans vs Fansly vs LoyalFans. The short version: every platform carries the same compilation risk for fans, but the platform-level operational risk varies a lot.

If you've been using your real-name address on OnlyFans since 2019, you can't take that back. What you can do is stop adding to the pile.

The pattern is going to repeat

This is the third "OnlyFans data" story I can remember in two years. Back in January 2026, a separate compilation dump exposed roughly 149 million login credentials from Instagram, Gmail, and OnlyFans — around 100,000 of those tied to OnlyFans accounts. That one was also stitched together from older breaches and credential-stuffer dumps, not a platform compromise. It got the same "OnlyFans hacked" headlines. Same shape. Same correction a week later. Same risk profile in the meantime.

"Compilation leak" is going to be the dominant pattern for the next several years, on every consumer platform, not just adult ones. The market for fresh breaches is small; the market for stitching together old breaches and reselling them with a fresh victim's name in the title is enormous. Treat every "X million records sold" headline as a stitched compilation until proven otherwise.

That doesn't mean the headlines don't matter. It means the threat model is "someone now has cheap access to data that was already cheap" — which sounds like a small move, until you remember the floor on cheap is what determines how often you get phished.

What I do operationally

In case it's useful, the actual playbook on my side:

• One email alias per platform. OnlyFans, ManyVids, LoyalFans, Pornhub, every social — each has its own alias. The day one of them ends up in a compilation, I rotate that single alias and the rest are unaffected.
• A separate phone number for platform 2FA. A Google Voice or MySudo number, not the real cell. The real number doesn't go on anything I expect to end up in someone else's database later.
• A mailing list with double opt-in. Fans subscribe with whatever address they want. The list lives on the site I own, separate from any platform. When the next policy swing or compilation story hits, the mailing list is what still works.
• My own site as the canonical home. Slypanorama.com is the address I put on bookings, press, and bios. It's the front door fans can always find me through, even when a platform geo-blocks them, suspends an account for an algorithm reason, or shows up in a "hacked!" headline that turns out to be old data. I made the longer version of that argument when the state-level age-verification laws started biting in the age-verification piece — the same logic applies here, for the same reason.

None of this prevents a compilation file from existing. The point isn't prevention; it's containment. When the next story breaks (and one will, probably this quarter), I want the blast radius to be one rotatable alias, not my whole identity.

If you're a fan and the to-do list above feels like a lot: it isn't. Change the OnlyFans email to an alias, turn on 2FA, ignore unsolicited "alert" emails. Twenty minutes total, and you're ahead of 95% of the audience.

If you're a creator: the doxing-audit step is the one most people skip and the one that pays off the most. Do that one first.

— Sly