A data breach affecting an adult dating and escort-style platform, attributed in initial reporting to a site known as Eroticy, surfaced in late 2016 when a 120-megabyte SQL dump file labeled 'Eroticy.com_June_2015.sql.zip' began circulating among breach researchers. The data was distributed to Have I Been Pwned, which loaded the breach as a sensitive entry under the Eroticy name with explicit unverified flags. Have I Been Pwned founder Troy Hunt published a detailed verification account, noting that while many subscribers confirmed individual records as accurate to them, the actual source of the breach could not be conclusively attributed to Eroticy. The platform itself has not publicly acknowledged or disputed the attribution.

The breach affected approximately 1.4 million to 1.6 million unique user accounts based on records indexed by breach-tracking services. Compromised fields included names, usernames, email addresses, phone numbers, physical addresses, IP addresses, passwords stored in plaintext for some records, payment histories including transaction records, and detailed website activity logs. The combination of plaintext passwords with payment history and home address from an adult-dating and escort-services context represents one of the most sensitive field combinations recorded in the historical adult-platform breach record.

For affected users, the practical risk profile is exceptionally severe because of the combination of identity-fraud exposure with adult-platform-specific reputational risk. The combination of name, address, phone number, and plaintext password supports both credential-stuffing attacks against other accounts and synthetic-identity-fraud risk. More distinctively, inclusion in the dataset confirms an adult-dating or escort-services relationship and may reference real payment transactions for adult services. This creates substantial extortion risk, in which attackers threaten disclosure to family members, employers, or social networks unless ransom is paid. Affected users who receive extortion attempts should not pay ransom demands because payment does not stop further extortion and often invites additional attempts. Users should change any reused passwords immediately, enable two-factor authentication where available, document all extortion communications, and report extortion attempts to law enforcement. Affected users should also be aware that the source of this breach remains unconfirmed, meaning the data may have originated from a different platform than the one named in the breach record.

Adult dating and escort-style platforms collect highly sensitive profile data, emails, usernames, relationship or sexual-interest signals, messages, and account activity tied to intimate services.

The Eroticy breach is unusual within the historical adult-platform breach record because the source of the breach has not been definitively confirmed. Have I Been Pwned founder Troy Hunt published a detailed account of his verification process in late 2016, noting that while many HIBP subscribers confirmed individual records as accurate, the actual source of the data could not be conclusively attributed to Eroticy. The data was loaded into HIBP under the Eroticy name with explicit 'unverified' flags and accompanying explanation. As of current reporting, no entity has formally claimed the dataset or accepted responsibility for the breach, and Eroticy itself has not publicly acknowledged or disputed the attribution.