Some former OnlyFans support staff employees still had access to users' data—including sensitive financial and personal information—even after they stopped working for the company used by sex workers to sell nudes and porn videos.
According to a former OnlyFans employee who asked to remain anonymous because they feared retaliation, some ex-employees still had access to Zendesk, a popular customer service software used by many companies including OnlyFans, to track and respond to customer support tickets, long after leaving the company. OnlyFans uses Zendesk to respond to both users who post content and those who just pay to view that content. Motherboard was able to corroborate this with more than one former employee's access.
According to the source and OnlyFans users who spoke to Motherboard, depending on what a user is seeking help with, support tickets may contain their credit card information, drivers' licenses, passports, full names, addresses, bank statements, how much they have earned on OnlyFans or spent, Know Your Customer (KYC) selfies where the creator holds up an ID next to their face for verification, and model release forms.
This source showed Motherboard the access they still had, long after they stopped working for OnlyFans.
"It's a shame that they have this large company and feel they can play with people's lives like this," the former employee said. "There are already so many things they are in trouble for and privacy should not be one of them. Everyone on that platform, especially sex workers, need to have their information be safe and it isn't."
When a creator sets up a profile, OnlyFans support assures users that "the verification process is strictly confidential, and this information is not shared with anyone," according to a support email Motherboard received while setting up an account.
Motherboard emailed OnlyFans’ general media request email address and specific representatives multiple times, and sent direct messages to two OnlyFans Twitter accounts, but the company did not respond to our request for comment on a potentially very serious security risk.
Allowing a former employee to access users’ personal information would be a security risk to users on any service, but sex workers and adult entertainment performers are especially at risk because they are often targeted because of the stigma around their occupation. For people who just use OnlyFans to pay for content as well, leaking personal information can be especially dangerous because that information could be used to blackmail them. Motherboard has repeatedly reported on “insider threats,” where employees at tech companies use their privileged access to data to inappropriately spy on users or colleagues. This has happened at Facebook, Snapchat, hacking firm NSO Group, Amazon-owned surveillance firm Ring, and many other companies. It is particularly dangerous for former employees to still retain privileged access to sensitive data.
"Like any platform, you have to be careful, but oftentimes we are the last to know when it comes to hacks or data leaks," an OnlyFans creator, who asked for anonymity because they still use the platform, told Motherboard. "Ultimately all platforms involve a certain amount of risk and as much as I can advise fellow creators on how to keep their sensitive data safe, there is not much any of us can do if the leak comes from within the platform itself."
In 2016, 800,000 Brazzers accounts were exposed in a data breach. In 2019, the personal data of more than one million users on porn site Lucious was exposed in a security exploit. And in 2020, researchers found a data leak of models' personal information from a vulnerability in PussyCash.com, a company that owns multiple adult websites including ImLive.