Jump to content

ShinyHunters

Page semi-protected
From Wikipedia, the free encyclopedia

ShinyHunters
Formation2019 (2019)
TypeCybercrime hacker group
MethodsVoice phishing, data exfiltration, extortion
Official language
English
Affiliations

ShinyHunters is a black-hat criminal hacker and extortion group that has been active since 2020 or earlier,[2][3] and is said to have been involved in a significant number of data breaches.[2]

ShinyHunters has utilized voice phishing and other forms of advanced social engineering to gain access to the systems of its targets. After gaining access to a target, the group has been known to exfiltrate data and demand ransom payments. If targets does not pay the ransom, the stolen information is often leaked or sold on the dark web.[2][4][1] As of 2026, ShinyHunters is believed to be affiliated with The Com, a large international network of cybercriminals.[1]

Identity and membership

The name of the group is believed to be derived from Shiny Pokémon, an aspect of the Pokémon video game franchise where Pokémon have a rare chance of being encountered in an alternate, "shiny" color scheme; players who actively try to collect such Pokémon through in-game strategies are often referred to as "shiny hunters".[5][6]

ShinyHunters' membership is believed to partially overlap with other groups linked to international cybercrime network The Com, including Scattered Spider and Lapsus$.[7] Cybercrime group Scattered Lapsus$ Hunters claims to include members of all three groups.[8] Google-owned cybersecurity firm Mandiant described ShinyHunters as "multiple threat clusters" operating under a single brand in January 2026,[9] and a February 2026 analysis by Kim Zetter describes ShinyHunters and its peer groups as "[l]oose-knit cells" of The Com.[10]

There has been at least one instance of conflict over the legitimacy of the ShinyHunters name. The April 2026 breach of Vercel was carried out by an entity that claimed to be ShinyHunters, but other individuals previously associated with ShinyHunters denied that ShinyHunters was involved.[11]

In May 2022, Sébastien Raoult, a French programmer suspected of belonging to the group, was arrested in Morocco and extradited to the United States. He faced 20 to 116 years in prison.[12][13] In January 2024, Raoult was sentenced to three years in prison and ordered to return five million dollars.[14] Twelve months of the sentence are for conspiracy to commit wire fraud and the remainder for aggravated identity theft.[14] He will face 36 months of supervised release afterwards.[14] Raoult had worked for the group for more than two years according to the U.S. Attorney's Office for the Western District of Washington, but was not a major player within the group.[14]

In May–June 2025, U.S. prosecutors in the District of Massachusetts charged Matthew D. Lane, a 19-year-old Massachusetts student, with hacking and extorting an education-technology provider widely reported to be PowerSchool. Prosecutors said that Lane used stolen contractor credentials to access the company's network in 2024, exfiltrate data on tens of millions of students and teachers, and demand a $2.85 million bitcoin ransom. Lane agreed to plead guilty on May 20, 2025, and entered a guilty plea on June 6, 2025.[15][16]

On June 25, 2025, French authorities announced that four members of the ShinyHunters cyber criminal group were arrested in multiple French regions for cybercrime activities. The coordinated global law enforcement effort targeted the 'ShinyHunters', 'Hollow', 'Noct', and 'Depressed' aliases.[17]

Notable data breaches

2020

  • Mathway: In January 2020, ShinyHunters breached Mathway, stealing roughly 25 million users' data. Mathway is an app for students that helps solve algebraic equations.[3]
  • Tokopedia: On 2 May 2020, Tokopedia was breached by ShinyHunters, which claimed to have data for 91 million user accounts, revealing users' gender, location, username, full name, email address, phone number, and hashed passwords.[2]
  • Wishbone: Also in May 2020, ShinyHunters leaked the full user database of the social media app Wishbone, which is said to contain personal information such as usernames, emails, phone numbers, city/state/country of residence, and hashed passwords.[18]
  • Microsoft: In May 2020, ShinyHunters also claimed to have stolen over 500 GB of Microsoft source code from the company's private GitHub account. The group published around 1GB of data from the hacked GitHub account to a hacking forum. Some cybersecurity experts doubted the claims until analyzing the code; upon analysis, ShinyHunters' claims were no longer in question. Microsoft told Wired in a statement that they are aware of the breach. Microsoft later secured their GitHub account, which was confirmed by ShinyHunters as they reported being unable to access any repositories.[19][20][21]
  • Wattpad: In July 2020, ShinyHunters gained access to a Wattpad database containing 270 million user records. Information leaked included usernames, real names, hashed passwords, email addresses, geographic location, gender, and date of birth.[22][23][24]
  • Pluto TV: In November 2020, it was reported that ShinyHunters gained access to the personal data of 3.2 million Pluto TV users. The hacked data included users' display names, email addresses, IP addresses, hashed passwords and dates of birth.[25][26]
  • Animal Jam: It was also reported in November 2020 that ShinyHunters was behind the hack of Animal Jam, leading to the exposure of 46 million accounts.[27][28]
  • Mashable: In November 2020, ShinyHunters leaked 5.22GB worth of the Mashable database on a prominent hacker forum.[29]

2021

  • Pixlr: In January 2021, ShinyHunters leaked 1.9 million user records from Pixlr.[30]
  • Nitro PDF: In January 2021, a hacker claiming to be a part of ShinyHunters leaked the full database of Nitro PDF – which contains 77 million user records – on a hacker forum for free.[31]
  • Bonobos: In January 2021, it was reported that ShinyHunters leaked the full backup cloud database of Bonobos, a clothing company, to a hacker forum. The database is said to contain the address, phone numbers, and order details for 7 million customers; general account information for another 1.8 million registered customers; and 3.5 million partial credit card records and hashed passwords.[32]
  • AT&T Wireless: In 2021, ShinyHunters began selling information on 70 million AT&T wireless subscribers, which contained users' phone numbers, personal information and social security numbers. AT&T acknowledged the data breach in 2024.[33][34][35]
  • Aditya Birla Fashion and Retail: In December 2021, Indian retailer Aditya Birla Fashion and Retail was breached and ransomed. The ransom demand was allegedly rejected and data containing 5.4 million unique email addresses were subsequently dumped publicly on a popular hacking forum the next month. The data contained extensive personal customer information including names, phone numbers, physical addresses, birth dates, order histories and passwords stored as MD5 hashes.[36]

2023

  • Pizza Hut Australia: In September 2023, ShinyHunters claimed to have compromised more than 1 million customers' data and 30 million order records of Pizza Hut Australia.[37] Pizza Hut Australia later acknowledged and confirmed the data breach.[38]

2024

Further information: Snowflake data breach
  • AT&T Wireless: In April 2024, ShinyHunters again hacked AT&T Wireless and stole data on over 110 million customers. In May, AT&T paid a $370,000 ransom to one of the group's members to delete the data.[39]
  • Banco Santander: On May 30, 2024, the Spanish multinational bank Santander was breached by ShinyHunters, resulting in all Santander staff and 30 million customers in Spain, Chile and Uruguay compromised.[40]
  • Ticketmaster: ShinyHunters claimed responsibility for breaching Ticketmaster via their campaign targeting customers of the cloud storage firm Snowflake.[41]
  • PowerSchool: In December 2024, education-software vendor PowerSchool was breached; the attacker demanded $2.85 million and the company paid a ransom to prevent release of stolen student/teacher data.[42][43] In early May 2025, new extortion emails began hitting individual school districts that were customers of PowerSchool, with outlets reporting attempts to leverage the stolen data from an earlier, unrelated PowerSchool breach identified by CrowdStrike. One message shared with DataBreaches.net demanded payment from North Carolina authorities, though the publication cautioned it could not authenticate the sender's identity. Bleeping Computer likewise reported that someone claiming to be ShinyHunters was extorting districts/customers of PowerSchool, while a person identifying as the group's leader told the outlet the culprit was an affiliate impersonating them.[44]

2025

Further information: ShinyHunters § Salesforce data hacks
  • Legal Aid Agency (U.K. Ministry of Justice): The Ministry of Justice disclosed on 22 May 2025 (updated 4 September 2025) that the Legal Aid Agency (LAA) suffered a cyber incident affecting applicants who used its digital service from 2007 until systems were taken offline on 16 May 2025; the MoJ has not named a culprit and says investigations are ongoing.[45] In August 2025, multiple outlets reported that a group using the ShinyHunters name posted on Telegram (Scattered Lapsus$ Hunters [46][47]) claiming responsibility and threatening to leak LAA data unless a member was freed; The Times and The Law Society Gazette covered the claim while noting authorities had not verified the posts and that the deadline passed without a leak.[48][49][50][51]
  • LVMH: In mid-2025, luxury conglomerate LVMH confirmed that several of its brands – including Louis Vuitton, Dior, and Tiffany & Co. – experienced unauthorized access to a customer information database managed by a third-party platform.[52] While each subsidiary disclosed limited details (Tiffany & Co.'s Korean unit noted a "vendor platform" was breached), investigators later tied these incidents to the ShinyHunters Salesforce data-theft campaign.[52] The threat actors privately extorted the firms via email (using the ShinyHunters name) and were ultimately identified as part of the UNC6040/UNC6240 clusters described by Google.[53]
  • Google: On June 4, 2025, Google Threat Intelligence Group (GTIG) reported on UNC6040, a cluster of voice phishing campaigns targeting organizations' Salesforce instances. The attackers used modified versions of Data Loader to export Salesforce data and subsequently extort the victims. GTIG attributed the activity to ShinyHunters.[53] According to DataBreaches.net, ShinyHunters have merged with Scattered Spider.[54] On August 5, 2025, Google confirmed that a corporate Salesforce instance of Google's containing contact information and notes for small and medium-sized businesses had been compromised by UNC6040/ShinyHunters activity.[55]
  • Qantas: In July 2025, Australian airline Qantas suffered a cyberattack that exposed data of approximately 5.7 million customers.[56] Initially attributed to Scattered Spider by multiple professional security researchers and journalists,[57] it was later confirmed to be the work of ShinyHunters.[52] According to DataBreaches.net and many others journalists and security researchers, ShinyHunters have merged with Scattered Spider.[54]
  • Jaguar Land Rover: On September 2, 2025, Jaguar Land Rover (JLR) disclosed a cyber incident and proactively shut down systems, causing severe disruption to production and retail operations. In the days that followed, outlets reported that a ShinyHunters/Scattered Spider–aligned collective claimed responsibility; JLR said there was no evidence of customer data theft at that time and notified the UK ICO.[58][59][60][61]
  • Kering: In September 2025, ShinyHunters was linked to a major data breach affected Kering, the French luxury goods group that owns brands such as Gucci, Balenciaga, and Alexander McQueen. ShinyHunters claimed to have stolen personal data from Balenciaga, Gucci, Brioni, and Alexander McQueen. The group claimed they compromised 43,483,137 million records exclusively from Gucci and approximately 7.4 million unique customer records across Balenciaga, Brioni, and Alexander McQueen. The data included not limited to, names, email addresses, phone numbers, physical addresses, and total spend amounts from luxury store purchases.[62] Kering confirmed the incident, stating that an unauthorized third party accessed limited customer information and that no financial data (such as credit card or bank info) was compromised. ShinyHunters reportedly attempted to extort the company following the breach, which was identified in June 2025 and publicly disclosed months later.[63][64]
  • University of Pennsylvania: In November 2025, hackers associated with ShinyHunters targeted the University of Pennsylvania. The data breach likely affected over 1 million individuals, including students, alumni, and donors.[65][66]
  • Princeton University: In November 2025, hackers associated with ShinyHunters targeted Princeton University.[67]
  • Harvard University: In late November 2025, hackers associated with ShinyHunters targeted Harvard University.[65][68][69]
  • Pornhub: In December 2025, ShinyHunters claimed responsibility for the Pornhub breach affected by the Mixpanel campaign. ShinyHunters claimed 94 GB of historical analytics data containing over 200 million records of Pornhub users email addresses, search history, watch/download activity, location data, and video metadata. ShinyHunters attempted to extort the company with threats of public release. Pornhub stated the incident stemmed from a third-party analytics service Mixpanel and that no passwords or financial information were compromised.[70][71]
  • SoundCloud: In December 2025, ShinyHunters was linked to a SoundCloud breach that exposed personal information tied to roughly 29.8 million user accounts (about 20% of platforms user base), including email addresses, usernames, avatars, follower count and locations. ShinyHunters allegedly accessed data via an ancillary service dashboard, and following attempted extortion the compromised records were reportedly published, underscoring the group's continued focus on large-scale data theft and ransom-or-release tactics.[72][73]

2026

Further information: Snowflake data breach
  • Grubhub: In January 2026, several older and newer Grubhub data breach incidents were linked to ShinyHunters in a targeted combined extortion against Grubhub.[74]
  • Panera Bread: In January 2026, involved around 5 million people (14 million records) with leakage to the dark web; the group exploited a Microsoft Entra SSO installation.[75]
  • Figure Technology Solutions: In February 2026, Figure suffered a data breach that involved around 1 million people records being stolen and affected with leakage to the dark web; yet another breach in the ShinyHunters Okta SSO campaign.[76][77]
  • Wynn Resorts: In February 2026, Wynn Resorts was targeted by the cyber-extortion group ShinyHunters, who claimed to have stolen over 800,000 customer records and employee data from the company's systems.[78][79][80]
  • Odido: In February 2026, involved around 6 million people (21 million records) with leakage to the dark web.[81][82][83]
  • Telus Corporation and Telus Digital: In March 2026, ShinyHunters claimed to have stolen over 1 petabyte (PB) of data from Telus & Telus Digital. The group demanded $65 million ransom in exchange for not leaking the company's data. The stolen data according to multiple prominent media outlets like Reuters and Bloomberg included ‌information ⁠related to more than two dozen companies that included personally identifiable information, call data and recordings (CDRs), FBI background check information, financial information, Salesforce data, and source code spanning multiple business divisions within the business services and telecommunications company. The stolen data also reportedly impacts Telus' telecommunication services; customers and call logs.[84][85][86]
  • European Commission: In March 2026, ShinyHunters hacked and leaked over 350GB of data from the EU Commission.[87] PII, email communications, sensitive documents, technical data, data belonging to 42 internal clients and at least 29 EU entities, and more were affected according to CERT-EU which also attributed the breach and leak to ShinyHunters.[88]
  • Rockstar Games: In April 2026, ShinyHunters breached cloud-linked systems of Rockstar Games via a third-party service (Anodot → Snowflake), claiming to have stolen nearly 80 million records. The group issued a ransom deadline of April 14 and, after it expired, leaked portions of the data online, including internal analytics and business metrics (such as GTA Online and Red Dead Online performance data). Rockstar confirmed the breach and stated that only limited, non-material internal data was affected, with no impact on operations, services, or player data.[89][90]
  • ADT: In April 2026, ShinyHunters stole the personal information of 5.5 million individuals after breaching the systems of home security giant ADT. ShinyHunters were able to steal the personal information through an employee's compromised Okta single sign-on account via a voice phishing attack. This access allowed the attackers to steal data from the company's Salesforce instance.[91][92]
  • Instructure (Canvas): On May 1, ShinyHunters claimed responsibility for the exfiltration of 3.65 TB of data from the Canvas learning management system, which ShinyHunters claims impacts 275 million users across 8,809 affected institutions. Instructure stated that passwords and financial information were not compromised, but confirmed that the breach involved names, email addresses, student IDs, and a large volume of private messages from the Canvas LMS.[93][94][95] On May 7, 2026, ShinyHunters claimed responsibility for breaching Instructure again.[96] The Canvas login page was changed to a message stating that affected schools had until May 12, 2026 to contact ShinyHunters via Tox to negotiate a settlement.[97][98] A list of such schools was provided in a text file attached to the message. As of May 9, 2026, Instructure has not made a settlement for the ransomed data.

Snowflake data hacks

Main article: Snowflake data breach

In 2024, ShinyHunters claimed to have hacked Snowflake-related customers including Ticketmaster, Santander Bank, Neiman Marcus, and many others.[99] The group was also responsible for publishing data stolen from Twilio and Truist Bank.[100]

In 2026, ShinyHunters executed another widespread data theft of Snowflake-related customers through the third-party integrator Anodot.[101] Snowflake, Inc. confirmed the incident and is actively notifying potentially impacted customers. Subsequently, ShinyHunters is extorting "over a dozen" companies that were affected in return to not publish the data. Google's threat intelligence group Mandiant confirmed that they are tracking the case.

Salesforce data hacks

Round 1

On June 4, 2025, ShinyHunters was tied to a widespread data-theft campaign targeting Salesforce cloud customers, which Google's Threat Intelligence team tracked as UNC6040.[53] ShinyHunters, working in conjunction with Scattered Spider[54] (now believed to be the same group) and Lapsus$ (also now believed to be the same group or a part of), impersonated IT support staff and used voice phishing (vishing) calls to trick employees into installing a malicious version of Salesforce's Data Loader tool, allowing them to access and extract sensitive customer data by abusing OAuth to bypass traditional authentication methods.[102] Following the successful intrusions, Google's Threat Intelligence team notes the victims of these intrusions receive an extortion or ransom email from ShinyHunters, which is also tracked as UNC6240.[53]

This sophisticated social engineering approach led to confirmed data breaches at major companies including Google, Cisco, Adidas, Qantas, Allianz Life, Farmers Insurance Group, Workday, Pandora, Chanel, TransUnion, LVMH subsidiaries, including but not limited to Dior, Louis Vuitton, and Tiffany & Co.[52]

Round 2

Shortly after, on August 28, 2025, another campaign tracked by Google Threat Intelligence (formerly Mandiant) as UNC6395 used OAuth/refresh tokens stolen from Salesloft's Drift integration to access numerous Salesforce customer orgs between August 8–18, 2025, systematically exporting CRM data and hunting for credentials (e.g., AWS access keys, passwords, Snowflake tokens).[103] Google told reporters it was aware of over 700 potentially impacted organizations. Public disclosures tied to this campaign include Cloudflare, Workiva, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Rubrik, Cato Networks, and Palo Alto Networks, each confirming unauthorized access to data in their Salesforce environments following the Salesloft/Drift compromise.[104] ShinyHunters claimed responsibility to the press.[citation needed]

On September 17, 2025, BleepingComputer was able to confirm ShinyHunters was behind the UNC6395 campaign, the biggest SaaS compromise in history.[105] ShinyHunters told BleepingComputer that the threat actors used the TruffleHog security tool to scan the source code for secrets, which resulted in the finding of OAuth tokens for the Salesloft Drift and the Drift Email platforms. Using these stolen Drift OAuth tokens, the threat actors stole approximately 1.5 billion data records for 760 companies from the "Account", "Contact", "Case", "Opportunity", and "User" Salesforce object tables.

Round 3

Three months later, on November 20, 2025, another campaign tracked by Google Threat Intelligence Group as UNC6395-adjacent actors known as ShinyHunters used OAuth/refresh tokens stolen from Gainsight Salesforce integration to access numerous customer instances.[106]

Salesforce publicly reported detecting unusual activity related to applications published by Gainsight that were connected to its platform, leading Salesforce to revoke OAuth access and refresh tokens and temporarily remove related applications from its AppExchange while the investigation was ongoing.[107]

The security incident bore extreme similarity to an earlier ShinyHunters-linked Salesloft Drift breach in August 2025, in which attackers stole OAuth tokens from the Salesloft integration known as Drift, enabling unauthorized access and data theft exfiltration of 760 customer Salesforce instances.[105][original research?]

According to external reporting and industry analysis in a statement, Austin Larsen, the principal threat analyst of Google Threat Intelligence Group (formerly Mandiant), said that the company "is aware of more than 200 potentially affected Salesforce instances." Which lined up with what ShinyHunters told several media outlets specifically 285 Salesforce instances.[108] The hacking group claimed responsibility for hacks affecting Atlassian, Docusign, F5, GitLab, Linkedin, Malwarebytes, SonicWall, Thomson Reuters, Verizon, and more.[106]

Round 4

On March 7, 2026, Salesforce released another security advisory linking a "known threat group" to exploiting misconfigurations in their Salesforce Experience Cloud software[109] also known as Salesforce Aura using a modified version of Google-owned AuraInspector to scan for misconfigurations along with a custom developed tool by the "known threat group" to exploit and extract data from Experience Cloud misconfigurations.[110]

Two days later, on March 9, 2026, ShinyHunters claimed responsibility for these data theft hacks on their data leak site warning affected victims to pay up or their data would be leaked.[111] One IOC listed in the exploitation shared a similar User-Agent seen in ShinyHunters' Snowflake data theft attacks "RapeFlake" while in this case it was "RapeForce".[111]

The hacking group claimed to have breached about 400 companies affecting Snowflake, Okta, Lastpass, Salesforce itself, Sony, AMD, and "a lot more".[112]

Mixpanel data hacks

In November 2025, ShinyHunters was linked to a third-party analytics breach at Mixpanel. It affected multiple high-profile companies including Pornhub and OpenAI.

Threat actors exploited a smishing-based compromise of Mixpanel systems, resulting in the export of analytics-related datasets belonging to several customers. ShinyHunters subsequently leveraged this access to extort organizations, claiming to possess analytics records tied to platforms such as Pornhub's Premium service and, indirectly, data associated with OpenAI's API user interactions.[70][113]

Both OpenAI and Pornhub confirmed that this breach was not a result of their own systems compromised but rather the third-party analytics breach at Mixpanel. Since then OpenAI does not use the analytics provider anymore.[citation needed]

Okta/SSO data hacks

In January 2026, ShinyHunters was linked by multiple media and threat-intelligence firms to a series of social-engineering campaigns targeted enterprise single sign-on (SSO) environments, including Okta. The attacks relied on voice-phishing ("vishing") and credential-harvesting infrastructure rather than exploitation of vulnerabilities in Okta's software, according to Okta and multiple security researchers.

According to a report by BleepingComputer, the ShinyHunters group claimed responsibility for a wave of voice-phishing ("vishing") campaigns that tricked employees into divulging their SSO credentials and multi-factor authentication codes. These credentials were subsequently used to access enterprise SSO dashboards and harvest data from connected software-as-a-service (SaaS) platforms for extortion purposes.[114]

Okta itself publicly warned of active attacks in which threat actors used custom phishing kits and voice-based social engineering to steal SSO credentials, including Okta logins, and abuse those credentials to access cloud applications and exfiltrate data. Okta noted that these attacks did not exploit inherent vulnerabilities in its products, but instead leveraged sophisticated phishing techniques against individual users.[115]

Threat-intelligence analysis published by Google Cloud's Threat Intelligence Group (formerly Mandiant) described how activity consistent with prior ShinyHunters-branded operations involved targeted voice-phishing and credential harvesting sites aimed at capturing SSO logins and MFA tokens. Once obtained, attackers could use the compromised SSO access to move laterally into applications such as Salesforce, Microsoft 365, and other enterprise services and then exfiltrate sensitive data. The analysis noted that some of the campaigns overlapped with ShinyHunters-branded activity tracked under multiple threat clusters.[116][117]

This ongoing, highly active data theft campaign, as described by Charles Carmakal, CTO of Mandiant at Google Cloud, employs a very sophisticated social engineering approach that has led to data breaches at major companies including but not limited to University of Pennsylvania, Princeton University, Harvard University, University of Nevada, Las Vegas, Grubhub, Crunchbase, Betterment, Panera Bread, Match Group, Tinder, Hinge, OkCupid, Bumble Inc, Odido, and Wynn Resorts.[citation needed]

According to a report by Silent Push, previously founded by FireEye, former owners of Mandiant, the ShinyHunters group and their broader collective "Scattered LAPSUS$ Hunters" ("SLH" / "SLSH") are actively targeting over 100 high-profile organizations in this campaign.[118]

Other data breaches

The following are other hacks that have been credited to or allegedly done by ShinyHunters. The estimated impacts of user records affected are also given, if possible.[119][120][121]

Totaling 1,798,509,000 not accounting for duplicate records between the aforementioned data breaches above.

References

  1. ^ a b c Newman, Lily Hay; Greenberg, Andy (May 8, 2026). "The Canvas Hack Is a New Kind of Ransomware Debacle". Wired. Retrieved May 8, 2026.
  2. ^ a b c d Newman, Lily Hay (May 21, 2020). "ShinyHunters Is a Hacking Group on a Data Breach Spree". Wired. ISSN 1059-1028. Retrieved January 25, 2021.
  3. ^ a b Cimpanu, Catalin (May 22, 2020). "25 million user records leak online from popular math app Mathway". ZDNET. Retrieved April 18, 2025.
  4. ^ Cimpanu, Catalin. "A hacker group is selling more than 100 billion user records on the dark web". ZDNet. Retrieved January 25, 2021.
  5. ^ King, Ashley (June 19, 2024). "More Details Emerge on Ticketmaster Breach Affecting 500M+". Digital Music News. Retrieved January 19, 2025.
  6. ^ Frank, Allegra (December 2, 2016). "Why Pokémon players spend hours and hours chasing shiny monsters". Polygon. Archived from the original on April 17, 2024. Retrieved December 23, 2024.
  7. ^ Krebs, Brian (October 7, 2025). "ShinyHunters Wage Broad Corporate Extortion Spree". Krebs on Security. Retrieved May 8, 2026.
  8. ^ Krebs, Brian (November 26, 2025). "Meet Rey, the Admin of 'Scattered Lapsus$ Hunters'". Krebs on Security. Retrieved May 8, 2026.
  9. ^ "Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft". Google Cloud Blog. January 30, 2026. Retrieved May 8, 2026.
  10. ^ Zetter, Kim (February 16, 2026). "Hackers made death threats against this security researcher. Big mistake". MIT Technology Review. Retrieved May 8, 2026.
  11. ^ Abrams, Lawrence (April 19, 2026). "Vercel confirms breach as hackers claim to be selling stolen data". BleepingComputer. Retrieved May 8, 2026.
  12. ^ "Sébastien Raoult, Français incarcéré au Maroc, menacé d'extradition aux Etats-Unis où il risque une lourde peine". lemonde.fr (in French). August 3, 2022.
  13. ^ "Cybercriminalité: Détenu aux Etats-Unis, le Français Sébastien Raoult espère toujours un "retour en France"". May 31, 2023.
  14. ^ a b c d Jones, Connor (January 10, 2024). "ShinyHunters chief phisherman gets 3 years, must cough up $5M". The Register. Retrieved January 12, 2024.
  15. ^ "District of Massachusetts | Worcester College Student to Plead Guilty to Cyber Extortions | United States Department of Justice". justice.gov. May 20, 2025. Retrieved September 8, 2025.
  16. ^ Abrams, Lawrence. "PowerSchool hacker pleads guilty to student data extortion scheme". BleepingComputer. Retrieved September 8, 2025.
  17. ^ Franceschi-Bicchierai, Lorenzo (June 26, 2025). "US, French authorities confirm arrest of BreachForums hackers". TechCrunch. Retrieved July 3, 2025.
  18. ^ Cimpanu, Catalin. "Hacker leaks 40 million user records from popular Wishbone app". ZDNet. Retrieved January 25, 2021.
  19. ^ "Microsoft's GitHub account breached by threat actors Shiny Hunters". TechGenix. May 21, 2020.
  20. ^ "'Shiny Hunters' bursts onto dark web scene following spate of breaches". SC Media. May 8, 2020.
  21. ^ "Microsoft's GitHub account hacked, private repositories stolen". BleepingComputer.
  22. ^ Deschamps, Tara (July 21, 2020). "Wattpad storytelling platform says hackers had access to user email addresses". CTVNews. Retrieved January 25, 2021.
  23. ^ "Wattpad warns of data breach that stole user info | CBC News". CBC. Retrieved January 25, 2021.
  24. ^ "Wattpad data breach exposes account info for millions of users". BleepingComputer. Retrieved January 25, 2021.
  25. ^ "ShinyHunters hacked Pluto TV service, 3.2M accounts exposed". Security Affairs. November 15, 2020. Retrieved January 25, 2021.
  26. ^ "3 Million Pluto TV Users' Data Was Hacked, But the Company Isn't Telling Them". Vice.com. December 4, 2020. Retrieved January 25, 2021.
  27. ^ Whittaker, Zack (November 16, 2020). "Animal Jam was hacked, and data stolen; here's what parents need to know". TechCrunch. Retrieved January 25, 2021.
  28. ^ Abrams, Lawrence (November 11, 2020). "Animal Jam kids' virtual world hit by data breach, impacts 46M accounts". BleepingComputer. Retrieved January 25, 2021.
  29. ^ "ShinyHunters hacker leaks 5.22GB worth of Mashable.com database". November 5, 2020. Retrieved May 27, 2023.
  30. ^ "Hacker leaks 1.9 million user records of photo editing app Pixlr". The Tribune. January 21, 2021. Retrieved January 25, 2021.
  31. ^ "Hacker leaks full database of 77 million Nitro PDF user records". BleepingComputer. Retrieved January 25, 2021.
  32. ^ "Bonobos clothing store suffers a data breach, hacker leaks 70GB database". BleepingComputer. Retrieved January 25, 2021.
  33. ^ "A Notorious Hacker Gang Claims to Be Selling Data on 70 Million AT&T Subscribers". GIzmodo. August 21, 2021. Retrieved August 26, 2023.
  34. ^ "AT&T finally acknowledged the data breach". Bleeping Computer. Retrieved August 26, 2023.
  35. ^ "AT&T acknowledges data breach affecting 51 million people - Panda Security". April 12, 2024.
  36. ^ "Bonobos clothing store suffers a data breach, hacker leaks 70GB database". RestorePrivacy. January 11, 2022. Retrieved January 11, 2022.
  37. ^ "Pizza Hut Australia customer data hacked; ShinyHunters claims to have more than 1 million customers' information". DataBreaches.Net. September 3, 2023. Retrieved February 6, 2026.
  38. ^ Taylor, Josh (September 20, 2023). "Pizza Hut Australia hack: data breach exposes customer information and order details". The Guardian. ISSN 0261-3077. Retrieved February 6, 2026.
  39. ^ Zetter, Kim. "AT&T Paid a Hacker $370,000 to Delete Stolen Phone Records". Wired. ISSN 1059-1028. Retrieved August 4, 2024.
  40. ^ "All Santander staff and millions of customers have data hacked". bbc.com. June 2, 2024. Retrieved July 22, 2024.
  41. ^ Zetter, Kim. "Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake". Wired. ISSN 1059-1028. Retrieved July 22, 2024.
  42. ^ Rundle, James (May 7, 2025). "PowerSchool Paid Ransom to Hackers After Breach". Wall Street Journal. ISSN 0099-9660. Retrieved September 8, 2025.
  43. ^ Coker, James (May 9, 2025). "PowerSchool Admits Ransom Payment Amid Fresh Extortion Demands". Infosecurity Magazine. Retrieved September 8, 2025.
  44. ^ Gatlan, Sergiu (September 4, 2025). "Texas sues PowerSchool over breach exposing 62M students, 880k Texans". BleepingComputer. Retrieved September 8, 2025.
  45. ^ "Legal Aid Agency cyber security incident: frequently asked questions". GOV.UK. September 4, 2025. Retrieved September 8, 2025.
  46. ^ Lyons, Jessica (August 12, 2025). "Oh, great. Three notorious cybercrime gangs appear to be collaborating". The Register. Retrieved May 7, 2026.
  47. ^ Croft, Daniel (August 13, 2025). "ShinyHunters forms hacking supergroup with Scattered Spider, teases major leaks". cyberdaily.au. Retrieved September 8, 2025.
  48. ^ Moloney, Charlie. "'Hackers' threaten to publish Legal Aid Agency records". Law Gazette. Retrieved September 8, 2025.
  49. ^ Sellman, Mark (August 11, 2025). "Hackers threaten to publish legal aid files unless member is freed". thetimes.com. Retrieved September 8, 2025.
  50. ^ Goss, Louis (August 30, 2025). "M&S hackers suspected in legal aid chaos". telegraph.co.uk. Retrieved September 8, 2025.
  51. ^ "Scattered Spider has a new Telegram channel to list its attacks". DataBreaches.Net. August 9, 2025. Retrieved September 8, 2025.
  52. ^ a b c d Abrams, Lawrence. "ShinyHunters behind Salesforce data theft attacks at Qantas, Allianz Life, and LVMH". BleepingComputer. Retrieved September 8, 2025.
  53. ^ a b c d "The Cost of a Call: From Voice Phishing to Data Extortion". Google Cloud Blog. Retrieved September 8, 2025.
  54. ^ a b c "Are Scattered Spider and ShinyHunters one group or two? And who did France arrest? (1)". DataBreaches.Net. August 3, 2025. Retrieved September 8, 2025.
  55. ^ Kovacs, Eduard (August 6, 2025). "Google Discloses Data Breach via Salesforce Hack". SecurityWeek. Retrieved August 10, 2025.
  56. ^ Abrams, Lawrence. "Qantas confirms data breach impacts 5.7 million customers". BleepingComputer. Retrieved September 8, 2025.
  57. ^ Abrams, Lawrence. "Qantas discloses cyberattack amid Scattered Spider aviation breaches". BleepingComputer. Retrieved September 8, 2025.
  58. ^ "Access Restricted". telegraph.co.uk. Retrieved September 8, 2025.
  59. ^ "M&S hackers claim to be behind Jaguar Land Rover cyber attack". bbc.com. September 3, 2025. Retrieved September 8, 2025.
  60. ^ Toulas, Bill. "Jaguar Land Rover says cyberattack 'severely disrupted' production". BleepingComputer. Retrieved September 8, 2025.
  61. ^ "Statement on Cyber Incident | JLR Media Newsroom". media.jaguarlandrover.com. Retrieved September 8, 2025.
  62. ^ "Exclusive: High-end fashion retailers Gucci, Balenciaga, Brioni, and Alexander McQueen hit by Salesforce attacks". DataBreaches.Net. September 11, 2025. Retrieved February 1, 2026.
  63. ^ "Gucci, Balenciaga and Alexander McQueen hacked in cyber-attack". www.bbc.com. September 15, 2025. Retrieved February 1, 2026.
  64. ^ "Update: Kering confirms Gucci and other brands hacked; claims no conversations with hackers?". DataBreaches.Net. September 15, 2025. Retrieved February 1, 2026.
  65. ^ a b Franceschi-Bicchierai, Lorenzo (February 4, 2026). "Hackers publish personal information stolen during Harvard, UPenn data breaches". TechCrunch. Retrieved February 25, 2026.
  66. ^ "Penn data leaked after University refused to pay $1 million ransom, hacker group says". Penn data leaked after University refused to pay $1 million ransom, hacker group says - The Daily Pennsylvanian. Retrieved February 25, 2026.
  67. ^ Gatlan, Sergiu. "Princeton University discloses data breach affecting donors, alumni". BleepingComputer. Retrieved February 25, 2026.
  68. ^ Gatlan, Sergiu. "Harvard University discloses data breach affecting alumni, donors". BleepingComputer. Retrieved February 25, 2026.
  69. ^ "A Technical and Ethical Post-Mortem of the Feb 2026 Harvard University ShinyHunters Data Breach". InfoStealers. Retrieved February 25, 2026.
  70. ^ a b Abrams, Lawrence. "PornHub extorted after hackers steal Premium member activity data". BleepingComputer. Retrieved February 1, 2026.
  71. ^ Vicens, A.J.; Satter, Raphael. "Hacking group 'ShinyHunters' threatens to expose premium users of sex site Pornhub". Reuters. Retrieved February 1, 2026.
  72. ^ Abrams, Lawrence. "SoundCloud confirms breach after member data stolen, VPN access disrupted". BleepingComputer. Retrieved February 1, 2026.
  73. ^ Gatlan, Sergiu. "Have I Been Pwned: SoundCloud data breach impacts 29.8 million accounts". BleepingComputer. Retrieved February 1, 2026.
  74. ^ Abrams, Lawrence. "Grubhub confirms hackers stole data in recent security breach". BleepingComputer. Retrieved April 4, 2026.
  75. ^ Fadilpašić, Sead (February 3, 2026). "Panera Bread data breach much more serious than we thought - over 5 million customers were hit, new reports claim". TechRadar Pro. Retrieved February 8, 2026.
  76. ^ Franceschi-Bicchierai, Lorenzo (February 13, 2026). "Fintech lending giant Figure confirms data breach". TechCrunch. Retrieved February 25, 2026.
  77. ^ Gatlan, Sergiu. "Data breach at fintech firm Figure affects nearly 1 million accounts". BleepingComputer. Retrieved February 25, 2026.
  78. ^ Lyons, Jessica (February 20, 2026). "ShinyHunters demands $1.5M not to leak Vegas casino and resort chain data". The Register.
  79. ^ Abrams, Lawrence. "Wynn Resorts confirms employee data breach after extortion threat". BleepingComputer. Retrieved February 25, 2026.
  80. ^ Vicens, A.J. (February 24, 2026). "Wynn Resorts says hackers stole employee data". Reuters.
  81. ^ "Information page Odido cyber incident". Retrieved February 24, 2026.
  82. ^ "Cybercriminelen dreigen met lekken data Odido: 'Laatste waarschuwing'". RTL.nl (in Dutch). February 23, 2026. Retrieved February 25, 2026.
  83. ^ Gatlan, Sergiu. "ShinyHunters extortion gang claims Odido breach affecting millions". BleepingComputer. Retrieved February 25, 2026.
  84. ^ Abrams, Lawrence. "Telus Digital confirms breach after hacker claims 1 petabyte data theft". BleepingComputer. Retrieved April 4, 2026.
  85. ^ Murphy, Margi (March 12, 2026). "Canadian Telecom Telus Says It's Investigating Cyber Breach". Bloomberg.
  86. ^ Vicens, AJ (March 12, 2026). "Telus says it is investigating hack of its systems". Reuters.
  87. ^ Gatlan, Sergiu. "European Commission confirms data breach after Europa.eu hack". BleepingComputer. Retrieved April 4, 2026.
  88. ^ "European Commission cloud breach: a supply-chain compromise". cert.europa.eu. April 2, 2026. Retrieved April 4, 2026.
  89. ^ Mike Moore (April 14, 2026). "Rockstar hackers publish 78.6 million stolen records — but many of us will be disappointed". TechRadar. Retrieved April 16, 2026.
  90. ^ "Rockstar Games Data Breach Exposes 78M Records". www.safestate.com. Retrieved April 16, 2026.
  91. ^ Werth, Timothy Beck (April 27, 2026). "ShinyHunters' ADT phishing hack nets 5.5 million emails". Mashable. Retrieved April 28, 2026.
  92. ^ Gatlan, Sergiu. "Home security giant ADT data breach affects 5.5 million people". BleepingComputer. Retrieved April 28, 2026.
  93. ^ Abrams, Lawrence. "Instructure confirms data breach, ShinyHunters claims attack". BleepingComputer. Retrieved May 4, 2026.
  94. ^ Binder, Matt (May 4, 2026). "ShinyHunters: Instructure breach affects 275 million teachers and students". Mashable. Retrieved May 4, 2026.
  95. ^ Arghire, Ionut (May 4, 2026). "Edtech Firm Instructure Discloses Data Breach Amid Hacker Leak Threats". SecurityWeek. Retrieved May 4, 2026.
  96. ^ Palmer, Kathryn. "'PAY OR LEAK': Hackers Target Big Higher Ed Vendor". Inside Higher Ed. Retrieved May 7, 2025.
  97. ^ "Canvas Login Page". May 7, 2026. Archived from the original on May 7, 2026.
  98. ^ "Hackers block access to platform used by thousands of US schools". The Straits Times. May 8, 2026. ISSN 0585-3923. Retrieved May 8, 2026.
  99. ^ Zetter, Kim (June 17, 2024). "Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake". Wired. ISSN 1059-1028. Retrieved March 10, 2025.
  100. ^ "ShinyHunters Leak What They Claim Are 33M Twilio Authy Phone Numbers, Neiman Marcus and Truist Bank Data". DataBreaches.Net. July 5, 2024. Retrieved September 8, 2025.
  101. ^ Abrams, Lawrence. "Snowflake customers hit in data theft attacks after SaaS integrator breach". BleepingComputer. Retrieved April 9, 2026.
  102. ^ Gatlan, Sergiu. "ShinyHunters launches Salesforce data leak site to extort 39 victims". BleepingComputer. Retrieved October 30, 2025.
  103. ^ "Widespread Data Theft Targets Salesforce Instances via Salesloft Drift". Google Cloud Blog. Retrieved September 8, 2025.
  104. ^ Gatlan, Sergiu. "SaaS giant Workiva discloses data breach after Salesforce attack". BleepingComputer. Retrieved September 8, 2025.
  105. ^ a b Abrams, Lawrence (September 17, 2025). "ShinyHunters claims 1.5 billion Salesforce records stolen in Drift hacks". BleepingComputer. Retrieved September 19, 2025.
  106. ^ a b Franceschi-Bicchierai, Lorenzo (November 21, 2025). "Google says hackers stole data from 200 companies following Gainsight breach". TechCrunch. Retrieved February 6, 2026.
  107. ^ "Trust Status". status.salesforce.com. Retrieved February 6, 2026.
  108. ^ Gatlan, Sergiu. "Salesforce investigates customer data theft via Gainsight breach". BleepingComputer. Retrieved February 6, 2026.
  109. ^ "Trust Status". status.salesforce.com. Retrieved April 4, 2026.
  110. ^ Security, Salesforce (March 7, 2026). "Protecting Your Data: Essential Actions to Secure Experience Cloud Guest User Access".
  111. ^ a b Toulas, Bill. "ShinyHunters claims ongoing Salesforce Aura data theft attacks". BleepingComputer. Retrieved April 4, 2026.
  112. ^ Lyons, Jessica (March 9, 2026). "ShinyHunters claims more high-profile victims in latest Salesforce customers data heist". The Register.
  113. ^ Ilascu, Ionut. "OpenAI discloses API customer data breach via Mixpanel vendor hack". BleepingComputer. Retrieved February 1, 2026.
  114. ^ Abrams, Lawrence. "ShinyHunters claim hacks of Okta, Microsoft SSO accounts for data theft". BleepingComputer. Retrieved February 1, 2026.
  115. ^ "Phishing kits adapt to the script of callers". www.okta.com. Retrieved February 1, 2026.
  116. ^ "Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft". Google Cloud Blog. Retrieved February 1, 2026.
  117. ^ Abrams, Lawrence. "Mandiant details how ShinyHunters abuse SSO to steal cloud data". BleepingComputer. Retrieved February 1, 2026.
  118. ^ Kelly, Peggy (January 26, 2026). "Special Alert: SLSH Malicious "Supergroup" Targeting 100+ Organizations via Live Phishing Panels". Silent Push. Retrieved February 1, 2026.
  119. ^ May 2020, Jitendra Soni 11 (May 11, 2020). "ShinyHunters leak millions of user details". TechRadar. Retrieved January 25, 2021.{{cite web}}: CS1 maint: numeric names: authors list (link)
  120. ^ July 2020, Nicholas Fearn 29 (July 29, 2020). "386 million user records stolen in data breaches — and they're being given away for free". Tom's Guide. Retrieved January 25, 2021.{{cite web}}: CS1 maint: numeric names: authors list (link)
  121. ^ ""Shiny Hunters" Hacker Group Keep 73 Mn User Records on Darknet". CISO MAG | Cyber Security Magazine. May 11, 2020. Retrieved January 25, 2021.
  122. ^ "Amazon, Swiggy's payment processor hit by data breach". The Times of India. Retrieved January 5, 2021.
  123. ^ a b c d e f g h i j Cimpanu, Catalin. "A hacker group is selling more than 73 million user records on the dark web". ZDNet.
  124. ^ "ShinyHunters Offers Stolen Data on Dark Web". Dark Reading. July 28, 2020. Retrieved January 25, 2021.
  125. ^ a b c d e f g "ShinyHunters Offers Stolen Data on Dark Web". Dark Reading. July 28, 2020.
  126. ^ a b c d e f g h i "ShinyHunters leaked over 386 million user records from 18 companies". Security Affairs. July 28, 2020.
  127. ^ "Promo.com data breach impacts 23 million content creators". The Daily Swig | Cybersecurity news and views. July 28, 2020.
  128. ^ Taylor, Charlie. "Irish start-up Glofox investigates possible data breach". The Irish Times. Retrieved January 25, 2021.
  129. ^ Defense, Binary. "Shiny Hunters Group Selling Data Stolen From 11 Different Companies". Retrieved May 27, 2023.
  130. ^ "Shiny Hunters hackers try to sell a host of user records from breaches". MalwareTips Community. May 8, 2020.
  131. ^ "ShinyHunters dump partial database of broker firm Upstox". hackread.com. April 12, 2021.
  132. ^ "Indonesias Tokopedia probes alleged data leak of 91 mln users". reuters.com. May 3, 2020.
  133. ^ "Wishbone Breach: 40 million Records Leaked on Dark Web". infosecurity-magazine.com. May 22, 2020.
  134. ^ "Wattpad data breach exposes account info for millions of users". July 14, 2020.
  135. ^ "Hacker shares 3.2 million Pluto TV accounts for free on forum". November 14, 2020.
  136. ^ "Hacker leaks full database of 77 million Nitro PDF user records". January 20, 2021.
  137. ^ "Bonobos clothing store suffers a data breach, hacker leaks 70GB database". BleepingComputer. January 22, 2021.
  138. ^ "Hacker leaks 20 million alleged BigBasket user records for free". BleepingComputer. April 25, 2021.
  139. ^ "AT&T says leaked data of 70 million people is not from its systems". March 17, 2024.
  140. ^ "Data of 560 million Ticketmaster customers for sale after alleged breach". May 30, 2024.
  141. ^ "ShinyHunters claims Santander breach, selling data for 30M customers". BleepingComputer. May 31, 2025.
  142. ^ "Twilio Confirms Data Breach After Hackers Leak 33M Authy User Phone Numbers". July 4, 2024.
  143. ^ "Neiman Marcus data breach: 31 million email addresses found exposed". BleepingComputer. July 8, 2024.
  144. ^ "Massive AT&T data breach exposes call logs of 109 million customers". BleepingComputer. July 12, 2024.
  145. ^ "PowerSchool hacker claims they stole data of 62 million students". BleepingComputer. January 22, 2025.
  146. ^ "Legal Aid Agency data breach bigger than originally thought: affects data as far back as 2007". August 21, 2025.
  147. ^ "Qantas confirms data breach impacts 5.7 million customers". BleepingComputer. July 9, 2025.
  148. ^ "Google confirms data breach exposed potential Google Ads customers' info". BleepingComputer. August 9, 2025.
  149. ^ "Massive Allianz Life data breach impacts 1.1 million people". BleepingComputer. August 19, 2025.
  150. ^ "Farmers Insurance data breach impacts 1.1M people after Salesforce attack". BleepingComputer. August 25, 2025.
  151. ^ "TransUnion suffers data breach impacting over 4.4 million people". BleepingComputer. August 28, 2025.
  152. ^ "Exclusive: High-end fashion retailers Gucci, Balenciaga, Brioni, and Alexander McQueen hit by Salesforce attacks". DataBreaches.net. September 11, 2025.
  153. ^ "PornHub extorted after hackers steal Premium member activity data". BleepingComputer. December 15, 2025.
  154. ^ "SoundCloud data breach impacts 29.8 million accounts". BleepingComputer. January 27, 2026.
  155. ^ "Panera Bread breach impacts 5.1 million accounts, not 14 million customers". BleepingComputer. February 2, 2026.
  156. ^ "Data breach at fintech firm Betterment exposes 1.4 million accounts". BleepingComputer. February 5, 2026.
  157. ^ "Odido data breach exposes personal info of 6.2 million customers". BleepingComputer. February 12, 2026.
  158. ^ "Data breach at fintech firm Figure affects nearly 1 million accounts". BleepingComputer. February 18, 2026.
  159. ^ "CarGurus data breach exposes information of 12.4 million accounts". BleepingComputer. February 24, 2026.
Retrieved from "https://en.wikipedia.org/w/index.php?title=ShinyHunters&oldid=1353428730"