Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

May 29, 2026 · 5 min read

A Threat Actor Named Euphoric_Reply_5727 Just Posted a 340 Million Record OnlyFans Database for 0.313 BTC (~$76,000) on a Cybercrime Forum—But the Seller Admitted in Private Messages It Was Built by Matching Public OnlyFans Profiles to Records From Old Twitter, Instagram, and Spotify Breaches, Not From a New Hack

The headline says "OnlyFans hacked." The seller says otherwise. The privacy risk to the millions of people on the list is real either way—because phishing campaigns do not care whether the data came from a fresh breach or a compilation.

The listing went up on a cybercrime forum the week of May 18, 2026, with the kind of headline number that turns a routine forum post into international news: 340 million OnlyFans user records, on sale for 0.313 Bitcoin (about $76,000 at the time of the listing), priced as if the entire user base of the world's largest adult content platform had been pulled from a single database. Then the seller, posting under the handle Euphoric_Reply_5727, started answering buyers' messages in private. According to Security Affairs, the actor admitted they "didn't breach or hack OnlyFans" and instead used "existing breaches and leaks databases and matched with users of the OnlyFans platform." OnlyFans publicly called the claim false. The data is still on the forum.

Key Takeaways

  • A threat actor using the handle Euphoric_Reply_5727 listed a 340 million record OnlyFans dataset on a cybercrime forum the week of May 18, 2026, priced at 0.313 BTC (approximately $76,000).
  • The seller initially claimed the data came from internal OnlyFans systems but later admitted in private messages that the dataset was compiled by cross referencing public OnlyFans profile data with records from older Twitter, Instagram, and Spotify breaches.
  • OnlyFans publicly denied any breach, and independent researchers including Cybernews confirmed the dataset is a compilation rather than a fresh exfiltration.
  • The 340 million dataset reportedly includes usernames, email addresses, phone numbers, join dates, follower counts, likes, uploaded content metrics, linked social profiles, account type, and payment card last four digits.
  • Even as a compilation, the dataset enables targeted phishing, stalking, impersonation, blackmail, and harassment because OnlyFans usage is highly sensitive context layered on top of identifying data from prior breaches.

What Is Actually in the 340 Million Record Dataset?

The fields the seller advertised are a mix of personally identifying information and behavioral signal: usernames, email addresses, phone numbers, account creation dates, follower counts, like counts, uploaded content metrics, linked social profiles, account type (creator vs subscriber), and the last four digits of payment cards. The combination is more sensitive than any one field. An email address by itself is a phishing target. An email address tied to a confirmed OnlyFans account—even just as a subscriber—is a phishing target with a leverage angle.

Researchers who looked at the listing found that several usernames matched real public OnlyFans profiles. That does not validate the rest of the dataset, but it does mean Euphoric_Reply_5727 had at least scraped the public profile pages and built the join logic to match those records against the older breach corpora circulating in the cybercrime economy.

Why Is a Compiled Dataset Still Dangerous?

When breach researchers and journalists evaluate a leak, the first question is usually "is this data fresh?" The answer determines whether the leaking organization needs to invalidate sessions, force password resets, and notify users under state breach disclosure laws. The Euphoric_Reply_5727 listing answers that question with "no"—and that is the answer OnlyFans's legal and security teams want, because a compilation does not trigger the same disclosure obligations as a fresh exfiltration.

But the question buyers on the forum are asking is different: "is this data useful?" The answer to that question is yes. Phishing infrastructure cares about valid email addresses tied to identifiable user behavior, and the OnlyFans username column gives every record an extortion handle. Stalkers and abusers care about phone numbers tied to social media handles, and the linked social profile column delivers that. Blackmailers care about the fact that the recipient cannot disprove the connection, because the username is real even if the rest of the record is bolted on from a Twitter dump.

A smartphone resting face down on a wooden desk next to a closed laptop in soft natural light, illustrating the OnlyFans 340 million record compilation leak

Which Old Breaches Power the Compilation?

Euphoric_Reply_5727 referenced "existing breaches and leaks databases" without naming the specific datasets, but the most likely candidates are the long circulating compilations that already power the rest of the credential stuffing economy: the Twitter dump from 2022, the multiple Instagram scrapes published between 2019 and 2023, the Spotify credential stuffing data that surfaced in 2020, and the broader 6.8 billion email compilation that appeared on BreachForums on April 30.

The join key is the email address. Once a compiler has a single confirmed email tied to an OnlyFans username—obtained from a registration leak, a deliverability test, or a forum post—they can pivot the rest of the social and behavioral data from other breaches into that record. The result looks like a fresh database, even when none of the underlying records came from the platform whose name is on the listing.

What Should OnlyFans Users Do Right Now?

Practical defensive steps for anyone whose email address has ever been associated with OnlyFans, whether as a creator or a subscriber:

  • Assume the email address on the account is on the list. Compilation data routes itself into phishing pipelines within days of publication.
  • Enable multi factor authentication on the account. OnlyFans supports authenticator app MFA. Turn it on.
  • Rotate any password reused across OnlyFans and another service. The risk is not that OnlyFans's password storage was breached—it was not. The risk is that the email reused a password from one of the older breaches in the compilation.
  • Treat any email claiming to be from OnlyFans as suspect. Extortion campaigns built on this dataset will spoof OnlyFans branding. The platform never asks for payment outside the in app billing flow.
  • Use a unique, per service email address. If your OnlyFans email is the same as your work, banking, or social media address, the leverage angle is much larger than it needs to be.

The Pattern

"Hackers claim X" headlines outpace actual confirmation in 2026. The economics favor the bluffer: a forum listing costs nothing to publish, a viral news cycle drives interest, and the seller does not need the buyer to be satisfied with the data—they need the buyer to pay for it. Euphoric_Reply_5727's listing fits that pattern. So did the alleged Internet Archive breach in 2024, the alleged Snowflake megaleak in mid 2024, and a long string of "X million records" listings that turned out to be compilations once a researcher actually downloaded the file.

The signal hidden in the noise is real, though. Hundreds of millions of email addresses, phone numbers, and social handles are already on cybercrime forums in a form that makes them easy to weld into "fresh" listings. The defensive lesson is not to wait for confirmation that any specific listing is real. It is to assume the underlying compilation already exists and to harden the email address at the center of every account before someone routes it through a phishing campaign.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.