A threat actor going by Euphoric_Reply_5727 is selling a database advertised as 340 million OnlyFans user records on a cybercrime forum for 0.313 BTC (around $76,000). In private messages, the seller admitted to HackRead that they did not breach OnlyFans directly - the dataset was assembled by correlating old data-breach corpora with publicly visible OnlyFans profile information. Sample records include usernames, email, phone, join date, follower counts, linked social profiles, and a 'card' field claimed to be payment-card-last-4. The privacy risk is real even without a fresh breach: the correlated dataset enables targeted phishing, stalking, impersonation, and blackmail of OnlyFans users.
B1ack's Stash, a dark-web carding marketplace operating since at least 2023, has released roughly 4.6 million stolen credit-card records as a free download. The market frames the dump as punishment for sellers caught reselling its data on rival platforms; SOCRadar says the marketplace also suspended about 8 million additional CVV2 records. The records include full PAN, CVV2, expiration date, billing address, full name, email, phone number, and IP address, which makes them directly usable for card-not-present fraud and account-opening fraud. This is the third free dump B1ack's Stash has used as a customer-acquisition tactic since its 2024 emergence.