Full Report
Adult site, streaming platform, and Japanese retailer expose user info, but not credentials Three very different companies have now confirmed data breaches affecting millions of users – each insisting the damage stopped well short of passwords and payment details.…
Analysis Summary
# Incident Report: Trio of User Data Breaches (Pornhub, SoundCloud, Askul)
## Executive Summary
Three distinct entities—an adult streaming platform (Pornhub), a music streaming platform (SoundCloud), and a Japanese retailer (Askul)—confirmed security incidents resulting in the exposure of user information affecting millions across their user bases. The incidents stemmed from different vectors: a third-party analytics breach (Pornhub), unauthorized access to an ancillary service (SoundCloud), and a ransomware attack targeting internal systems (Askul). While all companies asserted that highly sensitive data like passwords and payment details were untouched, customer records, including email addresses and pre-existing public profile information, were compromised or leaked.
## Incident Details
- **Discovery Date:** Not explicitly stated for all. SoundCloud detected unauthorized activity after a week of user complaints (likely late 2025). Pornhub was informed by Mixpanel. Askul incident started prior to October 2025.
- **Incident Date:** Varying dates across incidents (Askul attack occurred in October 2025).
- **Affected Organization:** Pornhub, SoundCloud, Askul (Retail/E-commerce)
- **Sector:** Online Entertainment/Adult Streaming, Music Streaming, Retail/E-commerce
- **Geography:** Global/Varies (Askul is Japan-based)
## Timeline of Events
### Initial Access
- **Date/Time:** Varies. Askul attack commenced prior to or in October 2025.
- **Vector (Pornhub):** Compromised credentials belonging to the third-party analytics provider, Mixpanel.
- **Vector (SoundCloud):** Unauthorized access to an ancillary service dashboard.
- **Vector (Askul):** Stolen login details belonging to a subcontractor who lacked MFA.
- **Details:**
- **Pornhub:** Breach occurred within Mixpanel's environment, impacting analytics data of select Premium users. Pornhub had ceased working with Mixpanel in 2021.
- **Askul:** Threat actors utilized compromised subcontractor credentials to gain entry.
### Lateral Movement
- **SoundCloud:** Attackers moved into or leveraged access within an ancillary service dashboard to cause disruption and access data.
- **Askul:** Ransomware infection confirmed in logistics and internal systems.
### Data Exfiltration/Impact
- **Pornhub:** Limited set of analytics events were exposed from Mixpanel's environment involving select Premium users.
- **SoundCloud:** Approximately 28 million users (20% of user base) were affected; email addresses and publicly visible profile information were accessed.
- **Askul:** Roughly 740,000 customer and business partner records were exfiltrated, and some data (including backups) was encrypted and published by the RansomHouse cybercrime crew.
### Detection & Response
- **Pornhub:** Discovered via notification from the third-party vendor, Mixpanel.
- **SoundCloud:** Detected following a week of user complaints regarding outages and broken access. Response included engaging third-party security experts. Response actions caused temporary connectivity issues (VPN access disruption) for some users.
- **Askul:** Inability to detect intrusion immediately due to a lack of EDR on datacenter servers and no 24-hour monitoring. Response involved dealing with ransomware infection and data leakage.
## Attack Methodology
| Phase | Pornhub (via Mixpanel) | SoundCloud | Askul (Ransomware) |
| :--- | :--- | :--- | :--- |
| **Initial Access** | Third-party vendor compromise (Mixpanel) | Unauthorized access to ancillary service dashboard | Subcontractor credentials (No MFA used) |
| **Persistence** | N/A (Third-party incident) | Not specified | Not specified (Implied through network access) |
| **Privilege Escalation** | N/A | N/A | Likely occurred to deploy ransomware |
| **Defense Evasion** | N/A | N/A | Successful initial evasion noted by lack of EDR/monitoring |
| **Credential Access** | Compromised Mixpanel analytics credentials | Not specified | Stolen subcontractor login details |
| **Discovery** | Not specified | Not specified | Not specified |
| **Lateral Movement** | Within Mixpanel environment | Within associated ancillary service or network | Within internal and logistics systems |
| **Collection** | Analytics events | Email addresses & public profile data | Customer/Partner data |
| **Exfiltration** | Data moved out of Mixpanel environment | Data moved out of audited systems | Data stolen and published by RansomHouse |
| **Impact** | Exposure of analytics records | Exposure of user metadata and service disruption | System encryption (ransomware) and data publication |
## Impact Assessment
- **Financial:** Not specified, though Askul suffered "large-scale service stoppage."
- **Data Breach:**
- **Pornhub:** Limited analytics events for select Premium users.
- **SoundCloud:** Email addresses and public profile data (~28 million users).
- **Askul:** ~740,000 customer/partner records (non-financial).
- **Operational:** SoundCloud experienced "temporary connectivity issues" affecting VPN users due to containment measures. Askul experienced "large-scale service stoppage."
- **Reputational:** Public disclosures and service disruptions occurred across all three, leading to user concern.
## Indicators of Compromise
*No specific network/file IoCs were provided in the summary article.*
- **Behavioral Indicators:** Unauthorized access attempts, sustained unauthorized activity on ancillary services (SoundCloud), encryption of internal/backup files (Askul).
## Response Actions
- **Containment:**
- **Pornhub:** Stopped using Mixpanel services in 2021 (mitigated further impact).
- **SoundCloud:** Engaged third-party security experts; implemented configuration changes to stop unauthorized access (which inadvertently caused user disruption).
- **Askul:** Dealt with ransomware lockouts and data encryption across logistics/internal systems.
- **Eradication:** Not detailed, but implied cleanup effort following containment.
- **Recovery:** Askul focused on recovering from encryption; SoundCloud restored service connectivity.
## Lessons Learned
- **Third-Party Risk is Significant:** Pornhub highlights that reliance on third-party vendors (even former ones whose systems are still retained/accessed) introduces risk that can affect primary users.
- **Operational Requirements for Security:** Askul's incident demonstrated critical gaps: lack of EDR on datacenter servers, absence of 24-hour monitoring, and failure to enforce MFA on subcontractor accounts, leading to easy initial access and poor detection.
- **Incident Response Can Degrade User Experience:** SoundCloud's necessary containment measures led to unintended customer-facing connectivity issues.
## Recommendations
- Implement mandatory Multi-Factor Authentication (MFA) for all employees and third-party contractors with system access, especially service providers/subcontractors.
- Deploy comprehensive security monitoring (EDR, 24/7 SOC) across all production and critical administrative environments, regardless of seeming criticality (e.g., datacenter servers).
- Thoroughly audit third-party vendor access and data handling procedures, ensuring robust segmentation and timely termination of data access post-contract.