Eroticy Adult Dating & Escort Platform Breach (2015): 1.4 Million User Records Including Payment History, Home Address & Passwords Exposed

Executive Summary

A data breach affecting an adult dating and escort-style platform, attributed in initial reporting to a site known as Eroticy, surfaced in late 2016 when a 120-megabyte SQL dump file labeled 'Eroticy.com_June_2015.sql.zip' began circulating among breach researchers. The data was distributed to Have I Been Pwned, which loaded the breach as a sensitive entry under the Eroticy name with explicit unverified flags. Have I Been Pwned founder Troy Hunt published a detailed verification account, noting that while many subscribers confirmed individual records as accurate to them, the actual source of the breach could not be conclusively attributed to Eroticy. The platform itself has not publicly acknowledged or disputed the attribution.

The breach affected approximately 1.4 million to 1.6 million unique user accounts based on records indexed by breach-tracking services. Compromised fields included names, usernames, email addresses, phone numbers, physical addresses, IP addresses, passwords stored in plaintext for some records, payment histories including transaction records, and detailed website activity logs. The combination of plaintext passwords with payment history and home address from an adult-dating and escort-services context represents one of the most sensitive field combinations recorded in the historical adult-platform breach record.

For affected users, the practical risk profile is exceptionally severe because of the combination of identity-fraud exposure with adult-platform-specific reputational risk. The combination of name, address, phone number, and plaintext password supports both credential-stuffing attacks against other accounts and synthetic-identity-fraud risk. More distinctively, inclusion in the dataset confirms an adult-dating or escort-services relationship and may reference real payment transactions for adult services. This creates substantial extortion risk, in which attackers threaten disclosure to family members, employers, or social networks unless ransom is paid. Affected users who receive extortion attempts should not pay ransom demands because payment does not stop further extortion and often invites additional attempts. Users should change any reused passwords immediately, enable two-factor authentication where available, document all extortion communications, and report extortion attempts to law enforcement. Affected users should also be aware that the source of this breach remains unconfirmed, meaning the data may have originated from a different platform than the one named in the breach record.

Breach Impact

The institutional impact on Eroticy as an entity has been limited given the unconfirmed source attribution and the platform's apparent disappearance from active operation. No public regulatory action, civil litigation, or formal acknowledgment has been documented. The case has been cited in security research as a leading example of breach attribution challenges and the difficulty of confirming the original source when data circulates through hacker forums and third-party aggregators. The institutional impact has fallen primarily on the affected individuals, who must respond to a breach without a confirmed responsible party.

About Eroticy

Eroticy was reportedly an adult dating and escort-style social platform that combined dating profiles, escort listings, and user accounts to facilitate discreet adult encounters. The platform operated as an account-based service blending social networking with classifieds-style adult services, with users creating profiles, browsing listings, and arranging interactions for casual or transactional encounters. As an adult dating platform, Eroticy maintained substantial user account data including names, usernames, email addresses, phone numbers, physical addresses, IP addresses, passwords, payment histories, and records of user activity tied to intimate-services arrangements.

Why They Hold Your Data

Adult dating and escort-style platforms collect highly sensitive profile data, emails, usernames, relationship or sexual-interest signals, messages, and account activity tied to intimate services.

Recent Developments

The Eroticy breach is unusual within the historical adult-platform breach record because the source of the breach has not been definitively confirmed. Have I Been Pwned founder Troy Hunt published a detailed account of his verification process in late 2016, noting that while many HIBP subscribers confirmed individual records as accurate, the actual source of the data could not be conclusively attributed to Eroticy. The data was loaded into HIBP under the Eroticy name with explicit 'unverified' flags and accompanying explanation. As of current reporting, no entity has formally claimed the dataset or accepted responsibility for the breach, and Eroticy itself has not publicly acknowledged or disputed the attribution.