Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: privacy (2 articles)Clear

Threat actor advertises 340M OnlyFans profiles for $76K - dataset built from correlating old breaches and public data, not direct hack

A threat actor going by Euphoric_Reply_5727 is selling a database advertised as 340 million OnlyFans user records on a cybercrime forum for 0.313 BTC (around $76,000). In private messages, the seller admitted to HackRead that they did not breach OnlyFans directly - the dataset was assembled by correlating old data-breach corpora with publicly visible OnlyFans profile information. Sample records include usernames, email, phone, join date, follower counts, linked social profiles, and a 'card' field claimed to be payment-card-last-4. The privacy risk is real even without a fresh breach: the correlated dataset enables targeted phishing, stalking, impersonation, and blackmail of OnlyFans users.

Check
Set domain monitoring alerts for your @company.com email addresses appearing in OnlyFans-themed correlated leak datasets. Warn high-profile employees about targeted impersonation phishing.
Affected
Active OnlyFans users whose accounts are publicly visible. The correlation dataset enables targeted phishing, sextortion, stalking, and impersonation even though no fresh breach occurred.
Fix
If you operate identity-verification flows: assume OnlyFans-correlated identity data is on the criminal market. Strengthen account-recovery flows that rely on email + phone-number proof. Treat as already-leaked.

Apple pushes emergency iOS patch for notification-storage flaw that let the FBI recover deleted Signal messages (CVE-2026-28950)

Apple released out-of-band iOS and iPadOS updates to fix a Notification Services flaw that kept notifications marked for deletion sitting in internal storage, where they could be pulled off the device later. The bug (CVE-2026-28950) landed after 404 Media reported that the FBI recovered Signal messages from a suspect's iPhone even after the user deleted them and even after Signal itself was uninstalled. The recovered text did not come from Signal's encrypted message store - it came from iPhone's internal notification buffer, which silently preserved incoming notification contents that the app and the OS both thought had been erased. Apple's advisory does not name the FBI case but describes exactly the data-persistence behavior 404 Media documented. Signal's team publicly thanked Apple for the fix. Beyond Signal users, this flaw matters for anyone who assumed that deleting a message or uninstalling an app wiped the underlying notification data from the phone - it did not. Forensic extraction of an unlocked iPhone could have surfaced any sensitive content ever pushed as a notification.

Check
Update any iPhone or iPad you manage (BYOD or corporate) to the patched build and audit MDM compliance reports for devices that have not yet installed the emergency update.
Affected
All iOS and iPadOS builds prior to iOS 26.4.2 / iPadOS 26.4.2, and prior to iOS 18.7.8 / iPadOS 18.7.8 for older devices on the 18.x train.
Fix
Install iOS 26.4.2 / iPadOS 26.4.2 (or iOS 18.7.8 / iPadOS 18.7.8 on supported older hardware). For Signal users who want belt-and-braces protection against any future notification-storage issue, change Signal Settings > Notifications > Notification content to 'Name Only' or 'No Name or Content' so message bodies never appear in the notification stream in the first place.