A claim that OnlyFans suffered a massive data breach has spread rapidly across X and Reddit in the past 48 hours, with reports alleging that a hacker is selling a database containing records for 340 million users and creators.

The viral story has triggered panic among creators and subscribers, with many rushing to change passwords or delete accounts. However, a closer look at the available evidence shows this is not a direct hack of OnlyFans’ systems. Instead, it appears to be a large-scale compilation of data pulled from older breaches and publicly visible profiles.

What the hacker is actually selling

On May 25, 2026, cybersecurity researchers and outlets including Hackread reported that a threat actor using the alias Euphoric_Reply_5727 is advertising a massive OnlyFans-linked dataset on a cybercrime forum.

The asking price is 0.313 BTC, roughly $76,000 at the time of listing.

The claimed database allegedly includes usernames and display names, email addresses, phone numbers, account creation dates, follower and subscriber metrics, creator and fan rankings, content type and quantity stats, linked social media profiles, and a field labeled “card” described as the last four digits of a payment card associated with each account.

At first glance, the sheer volume and detail suggested a major breach of OnlyFans itself. However, when journalists at Hackread contacted the seller directly, the story changed significantly.

The threat actor explicitly admitted, “We didn’t breach or hack OnlyFans. We used existing breaches and leaks databases and matched with users of the OnlyFans platform.”

In other words, this is a “synthetic” or compiled dataset. Old leaked information from platforms like Twitter, Instagram, Spotify, and others has been cross-referenced with publicly visible OnlyFans profiles and activity.

OnlyFans has pushed back strongly on the breach narrative. In statements shared with multiple outlets, the company called the reports “false” and emphasized that it has not suffered a direct compromise of its internal systems.

Security researchers found multiple red flags

Independent analysis of the listing has surfaced significant technical inconsistencies that undercut the seller’s narrative.

Security researcher Tat Thang posted a detailed breakdown on X noting that several of the field names listed in the alleged dataset, such as streams_count and likes_count, resemble frontend API attributes rather than backend database columns. That suggests the data structure does not match what would come from an actual internal server breach.

Tat Thang also pointed out that the 340 million records figure appears to have been lifted from marketing material belonging to a third-party company, rather than reflecting OnlyFans’ actual user base.

Attempts to validate associated email addresses against the platform did not produce confirmations that those emails were registered OnlyFans accounts. The “card” field claim regarding payment data also could not be independently verified, leaving open the possibility that it was included to inflate the dataset’s perceived value.

These red flags align with a documented pattern in underground markets, where threat actors increasingly build searchable identity databases by aggregating older breach data and public information rather than executing fresh hacks. The commercial value lies less in stolen passwords, which change, and more in the ability to link online personas to real-world identities, which generally do not.

What this means for creators and users

Even if this is not a fresh internal breach, the implications are still serious for anyone who has ever used OnlyFans.

Phishing and impersonation risks are significant. Attackers could use the compiled emails, usernames, and linked social profiles to craft highly targeted phishing campaigns or impersonate creators and subscribers.

Extortion and doxxing are particularly threatening to creators. Leaked subscriber metrics and even partial payment data could be weaponized for blackmail or to expose personal information.

Password reuse danger remains a perennial risk. Many users recycle the same email and password combination across sites. If an old breach is part of this dataset, it could lead to account takeovers elsewhere.

Broader privacy erosion is the bigger lesson. The incident highlights how data from multiple sources can be stitched together into powerful profiles, even without a single massive hack.

Cybersecurity experts recommend immediate steps for anyone concerned. Change your OnlyFans password and enable two-factor authentication. Avoid reusing passwords across sites. Monitor linked social accounts for suspicious activity. Be wary of unsolicited messages or extortion attempts.

The bottom line

The viral “OnlyFans mega leak” is not what it first appeared to be. There is currently no credible evidence that OnlyFans itself was directly hacked or breached in 2026. The dataset being sold is a mashup of older leaks and public information, repackaged to look like a fresh compromise, and the seller himself has admitted as much.

That said, the episode serves as a stark reminder of how vulnerable personal data remains in the age of widespread data breaches and aggregation. For creators who rely on OnlyFans for their livelihood, and for subscribers who value privacy, the risks are real even when the headline-grabbing “hack” turns out to be overstated.

As always with these incidents, the best defense is proactive account security and skepticism toward unverified claims spreading rapidly on social media.

Article compiled and edited by Derek Gibbs (entertainment editor) and the Clownfish TV newsroom.

D/REZZED is part of Clownfish TV. For more news, views, and rants on gaming and tech, visit clownfishtv.com. Watch the show on YouTube at @ClownfishTV where new episodes drop daily. Subscribe to the Clownfish TV podcast on Apple Podcasts, Spotify, iHeart, and wherever else you get your podcasts. Sign up for the free newsletter at more.clownfishtv.com.

Hat Tips:

• Hackread (May 25, 2026), original reporting and direct conversation with the threat actor confirming no OnlyFans breach

• Cybernews and Security Affairs, reporting on the 340 million record dataset and its likely origins

• IBTimes UK, coverage of security researcher Tat Thang’s technical analysis identifying frontend API field names and the inflated record count

• OnlyFans official statements to media outlets denying a direct platform compromise

• Sunday Guardian Live and Packetlabs, additional context on the alleged listing and privacy implications

• Reddit r/onlyfansadvice and X discussions, initial spread of the rumor and community fact-checking