Hackers claim to have stolen the details of more than 73,000 subscribers to porn site Digital Playground.
The data includes user names, email addresses and passwords. Also taken were the numbers, expiry dates and security codes for 40,000 credit cards.
A previously unknown hacker group called The Consortium said it was behind the attack.
Subscribers to the site have been contacted to let them know about the breach.
While Manwin investigates, the Digital Playground site has been taken offline. It is not accepting new members and its members area has also been taken offline.
The Consortium posted some of the data it stole on the web and said security on the site was full of holes that "made it too enticing to resist" stealing the data.
"This company has security, that if we didn't know it was a real business, we would have thought to be a joke - a joke that we found much more amusing than they will," wrote The Consortium in a log posted on the web.
Visible in the log were admin login names and passwords as well as a selection of the email addresses and user names of some members. Internal emails, details of the four servers underpinning the site and software licence keys were also posted.
The Consortium claims some of the credit card data was stored in plain text form. The group claims to be connected to the Anonymous and Lulzsec hacker groups.
Porn producer Digital Playground is based in California but its website is managed and run by Luxembourg-based firm Manwin. The London office of the company declined to comment on the attack.
In a statement provided to porn industry news site AVN, Manwin said it took over management of the site on 1 March and said the breach may have occurred before it took charge.
Manwin management was overseeing the investigation and Digital Playground subscribers had been contacted to let them know what had happened.
In late February, details of more than 6,000 users of YouPorn's discussion forums, known as YP Chat, were stolen. YP Chat stands separate to YouPorn which is administered by Manwin. Lax security at a third-party provider was blamed for the breach.