Pornhub users are used to things being exposed. Just not their data.
ChatGPT users share things they wouldn’t tell their therapist. That’s out there too now.
Same vendor. Same breach. Very different awkward conversations.
Pornhub and OpenAI were both breached through Mixpanel — the same third-party analytics vendor.
But here’s the part that should keep you up at night:
Pornhub stopped using Mixpanel in 2021.
The contract ended.
The relationship ended.
The data… didn’t.
Four years later, it was still there. Waiting.
When an attacker phished a Mixpanel employee, they didn’t just access current customers.
They accessed former customers who believed the relationship was over.
That’s a risk category most boards aren’t tracking:
Dormant third-party vendor risk.
Your contract ended.
Your data didn’t.
Questions boards should be asking:
1. Do we track former vendors that still retain our data?
2. Have we verified data destruction — or just assumed it?
3. Do termination clauses specify timelines, methods, and proof?
4. When was the last time we audited a vendor we stopped using?
Dormant third parties still hold active risk.
The Rise of “Smash-and-Grab” Cybercrime
March 10, 2026
