Brazzers Adult Entertainment Platform Breach (2013): 800K Subscriber Accounts Including Passwords Exposed

Executive Summary

A data breach affecting Brazzers users came to public attention in September 2016 when the breach-monitoring site Vigilante.pw shared the dataset with Motherboard, which reported the disclosure publicly. Brazzers confirmed that the data corresponded to a 2012 breach of its third-party-managed user-discussion forum at Brazzersforum.com, which had run on unpatched vBulletin forum software. The data dump had originally been posted online in April 2013 but remained largely undetected for over three years before reaching Motherboard. The breach affected the forum site rather than the main Brazzers subscription service, but because Brazzers and Brazzersforum shared user account credentials for user convenience, the breach also exposed credentials for some users who had never visited the forum.

The breach affected approximately 800,000 users based on records indexed by breach-tracking services, with the underlying data dump containing approximately 928,000 records and 790,000 unique email addresses after duplicates were removed. Compromised fields included email addresses, usernames, and passwords. Critically, the passwords were stored in plaintext rather than hashed, exposing both the original credentials and any reused passwords on other accounts to immediate compromise. Have I Been Pwned founder Troy Hunt verified the authenticity of the dataset by contacting affected HIBP subscribers, who confirmed that the records matched their actual account information.

For affected users, the practical risk profile combines credential-reuse exposure with adult-platform-specific reputational risk. The plaintext password exposure means any other account where the same password was reused was immediately compromised, with credential-stuffing attacks expected on email, financial, and social-media accounts. More distinctively, inclusion in the dataset confirms a Brazzers subscription or forum relationship, which can support targeted extortion or harassment campaigns. Affected users who receive extortion attempts should not pay ransom demands because payment does not stop further extortion. Users should immediately change any reused passwords on other accounts, enable two-factor authentication where available, document any extortion communications, and report extortion attempts to law enforcement. Users with concerns about the disclosure timing should be aware that the original breach occurred in 2012 and the data has been in circulation since at least April 2013, meaning passwords from that era should have been rotated long before now if the user retained any awareness of the breach.

Breach Impact

The institutional impact on Brazzers as an entity has been limited because of the indirect nature of the breach (third-party forum, not main subscription service) and the historical timing of the original incident. No formal regulatory action against Brazzers or parent Aylo has been documented in connection with the breach. Civil litigation has been minimal because the underlying incident occurred in 2012 and was disclosed publicly only in 2016, placing many class-action timelines outside applicable statutes of limitation. The reputational impact concentrated on the broader adult-platform sector rather than Brazzers specifically, given the sensitivity of any adult-platform user-data exposure. The case has been cited in adult-industry cybersecurity discussions as an example of third-party vendor risk and the security implications of credential sharing across operationally distinct platforms.

About Brazzers

Brazzers is one of the largest commercial adult-entertainment subscription brands globally, operating as a streaming and subscription-based adult content platform. Headquartered in Montreal, Canada, the brand is owned by Aylo (formerly MindGeek), the parent company that operates a portfolio of major adult-content properties. Brazzers operates a primary subscription service through Brazzers.com and historically operated a third-party-managed user discussion forum at Brazzersforum.com where subscribers could discuss favorite scenes and request new content. The breach in question occurred at the third-party-managed forum, not at the main Brazzers subscription service. As a subscription-based adult-content platform, Brazzers maintains user account identifiers, email addresses, usernames, passwords, and subscription billing data across its main service operations.

Why They Hold Your Data

Adult entertainment platforms collect user accounts, emails, usernames, passwords, and activity-linked identity markers associated with explicit content consumption.

Recent Developments

Following the September 2016 public disclosure, Brazzers spokesperson Matt Stevens publicly attributed the incident to a 2012 breach of the Brazzersforum forum software stack, specifically a vulnerability in the third-party vBulletin forum software used at Brazzersforum.com. Brazzers stated that corrective measures had been taken in the days following the original 2012 incident to protect users. The Brazzersforum site was taken offline following the public disclosure and remained under reconstruction. The breach is widely cited in security commentary as an example of vBulletin-related forum compromises that affected numerous web properties during the same era, including Epic Games forums, Dota2 forums, and others.