OnlyFans denies a 340-million-record breach, and so does the hacker selling it

A dataset advertised as the personal records of 340 million OnlyFans users is being offered for sale on a well-known leak forum, priced at a fraction of a single Bitcoin. The listing promises emails, phone numbers, real names, the last four digits of a payment card, and the detail that matters most on a platform like this one: the external social-media accounts tied to each profile.

For most services that would be an ordinary privacy problem. For OnlyFans it is something sharper. The entire arrangement between the platform and the people who use it rests on a wall between a person’s legal identity and what they do behind a paywall. A file that connects a real name and a phone number to an OnlyFans handle is a tool built specifically to tear that wall down, and whether or not the data is genuine, it is being marketed to buyers who want exactly that.

The seller describes a record for each of the 340 million accounts: a user ID, a username, a full name, a join date, an email, a phone number, follower and like counts, the number of media items posted, a flag marking the account as a fan or a creator, and links out to profiles on other networks. The asking price is 0.313 Bitcoin, roughly seventy-six thousand dollars for the entire set. Sold in those terms, it reads less like a spreadsheet and more like a targeting package.

The linked-profiles field is the one that turns a database into a weapon. A creator’s OnlyFans identity is often deliberately separated from the name on their bank account, their family group chat, and their day job. Stitch that handle to a verified Instagram or an old phone number and the separation collapses. For the creator economy, where the paywall is the business model, the ability to cheaply de-anonymize hundreds of thousands of people at once is not a privacy inconvenience. It is an existential one.

OnlyFans says none of it happened. “These reports are false,” a company spokesperson told the security outlet that first published the listing. The headline number invites the same skepticism: 340 million is close to the platform’s entire registered user base, the kind of round, total figure that rarely survives contact with an actual server breach, where attackers tend to walk away with a slice of a database rather than a clean copy of all of it.

The strongest argument against a breach, though, came from the seller. Contacted directly through a messaging app, the person behind the listing acknowledged that the data was never pulled from OnlyFans at all. It had been assembled by cross-referencing older breaches from other platforms, including dumps tied to Twitter, Instagram and Spotify that have circulated for years, and bolting those records onto publicly visible profile information. By the seller’s own account, this is a compilation, not an intrusion.

That distinction is the whole story, and the underground market makes its money by blurring it. A real breach exfiltrates data the public never had access to. A compilation re-sorts data that mostly leaked somewhere else and gives it a fresh, frightening brand. “OnlyFans” moves product on a forum in a way that “a list built from five-year-old Twitter records” never could. The supposed multibillion-record WhatsApp and Gmail “hacks” that periodically reach the news work the same way, and usually dissolve into recycled credential lists once researchers pull them apart.

None of which makes the file safe to ignore. Correlation is the weapon here, not novelty. A name that is already public on one site and an email that leaked from another are low-stakes on their own. Joined to an OnlyFans handle, they become a map from a person’s everyday identity to their adult-content account, and that map is the raw material for sextortion messages that quote real details to seem credible, for phishing aimed at creators’ payout accounts, and for the stalking and impersonation that many creators already deal with without an attacker having the sorting done for them in advance.

Verifying a claim like this is slow and rarely produces a clean verdict. Researchers pull a sample, check whether the emails and phone numbers actually correspond to real OnlyFans accounts, look for fields a genuine internal database would contain and a scraped one would not, and try to date the records against known prior breaches. Compilations usually come back as a messy mixture: some live accounts, a large share of stale or wrong entries, and a few invented rows padding the count toward a number that sells. The honest answer for most of these dumps is that they are partly real, which is also the most dangerous answer, because partly real is enough to fool a victim.

For anyone who has ever connected an Instagram or X account to an OnlyFans profile, fan or creator and in any market, the safe assumption is that the connection is already discoverable and may now be packaged for sale. The practical advice from security researchers is unglamorous. Treat any message that appears to know your OnlyFans activity as a pressure tactic rather than proof, never pay a blackmail demand, and switch on two-factor authentication so that a leaked password on its own cannot open the account.

The listing is still live, and researchers are working through samples to measure how much of it is real, recycled or simply invented, which is the only question the price tag actually rides on. What will not change is the pattern behind it. As long as a famous name on a leak forum is worth more than the data sitting behind it, the next mega breach is already being built out of the wreckage of the last ten.