ShinyHunters
Description
(ZeroFOX) ShinyHunters is taking a page out of the book of Gnosticplayers, the breach data broker who in 2018-2019 pilfered billions of records from dozens of companies and sold them online. Due to the verification of the Tokopedia breach by multiple researchers and the company itself, ZeroFOX Alpha Team has HIGH confidence that these new breaches are legitimate, and will most likely be available on other breach marketplaces at lower prices in the near future. It is likely that this actor will continue to breach companies and post their content for sale. These tactics proved both successful and profitable for gnosticplayers, and it is likely they will continue to appeal to other breach brokers for these reasons.
Around July 2025, ShinyHunters teamed up or merged with Subgroup: Scattered Spider. They share their Telegram channel also with Lapsus$, so they may all work together now – see the DataBreaches.net references in the Information section below.
Names
| Name | Name-Giver |
|---|---|
| ShinyHunters | self given |
Country
Motivation
- Financial gain
First Seen
2020
Operations
- 2020-01: Hacker leaks 40 million user records from popular Wishbone app https://www.zdnet.com/article/hacker-selling-40-million-user-records-from-popular-wishbone-app/
- 2020-01: 25 million user records leak online from popular math app Mathway https://www.zdnet.com/article/25-million-user-records-leak-online-from-popular-math-app-mathway/
- 2020-03: Hacker leaks 15 million records from Tokopedia, Indonesia’s largest online store https://www.zdnet.com/article/hacker-leaks-15-million-records-from-tokopedia-indonesias-largest-online-store/
- 2020-03: A hacker claims to have stolen over 500GB of data from Microsoft’s private GitHub repositories, BleepingComputer has learned. https://www.bleepingcomputer.com/news/security/microsofts-github-account-hacked-private-repositories-stolen/
- 2020-03: Hackers sell stolen user data from HomeChef, ChatBooks, and Chronicle https://www.bleepingcomputer.com/news/security/hackers-sell-stolen-user-data-from-homechef-chatbooks-and-chronicle/
- 2020-05: Online learning platform Unacademy has suffered a data breach after a hacker gained access to their database and started selling the account information for close to 22 million users. https://www.bleepingcomputer.com/news/security/hacker-sells-22-million-unacademy-user-records-after-data-breach/
- 2020-06: Havenly discloses data breach after 1.3M accounts leaked online https://www.bleepingcomputer.com/news/security/havenly-discloses-data-breach-after-13m-accounts-leaked-online/
- 2020-07: An allegedly stolen Wattpad database containing 270 million records were being sold in private sales for over $100,000. Now it is being offered for free on hacker forums. https://www.bleepingcomputer.com/news/security/wattpad-data-breach-exposes-account-info-for-millions-of-users/
- 2020-07: Tech unicorn Dave admits to security breach impacting 7.5 million users https://www.zdnet.com/article/tech-unicorn-dave-admits-to-security-breach-impacting-7-5-million-users/
- 2020-07: Promo.com discloses data breach after 22M user records leaked online https://www.bleepingcomputer.com/news/security/promocom-discloses-data-breach-after-22m-user-records-leaked-online/
- 2020-11: ShinyHunters hacker leaks 5.22GB worth of Mashable.com database https://www.hackread.com/shinyhunters-hacker-leaks-mashable-database/
- 2020-11: Popular stock photo service hit by data breach, 8.3M records for sale https://www.bleepingcomputer.com/news/security/popular-stock-photo-service-hit-by-data-breach-83m-records-for-sale/
- 2020-11: Hacker posts 1.9 million Pixlr user records for free on forum https://www.bleepingcomputer.com/news/security/hacker-posts-19-million-pixlr-user-records-for-free-on-forum/
- 2021-01: Hacker leaks full database of 77 million Nitro PDF user records https://www.bleepingcomputer.com/news/security/hacker-leaks-full-database-of-77-million-nitro-pdf-user-records/
- 2021-01: Hacker leaks data of millions of Teespring users https://www.zdnet.com/article/hacker-leaks-data-of-millions-of-teespring-users/
- 2021-01: Bonobos clothing store suffers a data breach, hacker leaks 70GB database https://www.bleepingcomputer.com/news/security/bonobos-clothing-store-suffers-a-data-breach-hacker-leaks-70gb-database/
- 2021-01: Hacker leaks data of 2.28 million dating site users https://www.zdnet.com/article/hacker-leaks-data-of-2-28-million-dating-site-users/ https://www.riskbasedsecurity.com/2021/01/25/shinyhunters-wave-3-one-hacker-exposes-over-125-million-credentials/
- 2021-04: Shifting Strategies: ShinyHunters and Known Cyber Threat Actors Change Tactics https://www.riskbasedsecurity.com/2021/04/21/shifting-strategies-shinyhunters-and-known-cyber-threat-actors-change-tactics/
- 2021-04: ShinyHunters dump partial database of broker firm Upstox https://www.hackread.com/shinyhunters-broker-firm-upstox-database-leak/
- 2021-04: Hacker leaks 20 million alleged BigBasket user records for free https://www.bleepingcomputer.com/news/security/hacker-leaks-20-million-alleged-bigbasket-user-records-for-free/
- 2021-05: ShinyHunters leak database of Indian wedding portal WedMeGood https://www.hackread.com/shinyhunters-leak-india-wedmegood-database/
- 2021-08: AT&T denies data breach after hacker auctions 70 million user database https://www.bleepingcomputer.com/news/security/atandt-denies-data-breach-after-hacker-auctions-70-million-user-database/ https://www.bleepingcomputer.com/news/security/atandt-confirms-data-for-73-million-customers-leaked-on-hacker-forum/
- 2021-12: This time, the victim is a Fortune India 500 List company: Mumbai-headquartered Aditya Birla Group (ABG). https://www.databreaches.net/major-indian-fashion-retailer-hacked-and-data-leaked/
- 2023-06: BreachForums Returns Under the Control of ShinyHunters Hackers https://www.hackread.com/breachforums-returns-with-shinyhunters-hackers/ https://www.databreaches.net/confused-about-the-drama-with-the-new-breachforums-reading-this-will-either-help-you-or-make-your-head-spin/
- 2023-08: Pizza Hut Australia customer data hacked; ShinyHunters claims to have more than 1 million customers’ information https://www.databreaches.net/pizza-hut-australia-customer-data-hacked-shinyhunters-claims-to-have-more-than-1-million-customers-information/
- 2024-04: Massive AT&T data breach exposes call logs of 109 million customers https://www.bleepingcomputer.com/news/security/massive-atandt-data-breach-exposes-call-logs-of-109-million-customers/
- 2024-04: Advance Auto Parts data breach impacts 2.3 million people https://www.bleepingcomputer.com/news/security/advance-auto-parts-data-breach-impacts-23-million-people/
- 2025-05: Neiman Marcus data breach: 31 million email addresses found exposed https://www.bleepingcomputer.com/news/security/neiman-marcus-data-breach-31-million-email-addresses-found-exposed/
- 2024-05: ShinyHunters claims Santander breach, selling data for 30M customers https://www.bleepingcomputer.com/news/security/shinyhunters-claims-santander-breach-selling-data-for-30m-customers/
- 2024-05: Data of 560 million Ticketmaster customers for sale after alleged breach https://www.bleepingcomputer.com/news/security/data-of-560-million-ticketmaster-customers-for-sale-after-alleged-breach/
- 2024-05: BreachForums Returns Just Weeks After FBI Seizure - Honeypot or Blunder? https://thehackernews.com/2024/05/breachforums-returns-just-weeks-after.html
- 2024-06: Cylance confirms data breach linked to ‘third-party’ platform https://www.bleepingcomputer.com/news/security/cylance-confirms-data-breach-linked-to-third-party-platform/
- 2024-12: PowerSchool hacker now extorting individual school districts https://www.bleepingcomputer.com/news/security/powerschool-hacker-now-extorting-individual-school-districts/
- 2025-01: Dior begins sending data breach notifications to U.S. customers https://www.bleepingcomputer.com/news/security/dior-begins-sending-data-breach-notifications-to-us-customers/
- 2025-05: Now it’s Tiffany: Another LVMH luxury brand hit by hackers https://databreaches.net/2025/05/26/now-its-tiffany-another-lvmh-luxury-brand-hit-by-hackers/
- 2025-05: Adidas Data Breach Linked to Third-Party Vendor https://www.securityweek.com/adidas-data-breach-linked-to-third-party-vendor/
- 2025-06: Google: Hackers target Salesforce accounts in data extortion attacks https://www.bleepingcomputer.com/news/security/google-hackers-target-salesforce-accounts-in-data-extortion-attacks/ https://www.bleepingcomputer.com/news/security/shinyhunters-behind-salesforce-data-theft-attacks-at-qantas-allianz-life-and-lvmh/
- 2025-06: Allianz Life confirms data breach impacts majority of 1.4 million customers https://www.bleepingcomputer.com/news/security/allianz-life-confirms-data-breach-impacts-majority-of-14-million-customers/
- 2025-06: Fashion giant Chanel hit in wave of Salesforce data theft attacks https://www.bleepingcomputer.com/news/security/fashion-giant-chanel-hit-in-wave-of-salesforce-data-theft-attacks/
- 2025-06: Louis Vuitton says regional data breaches tied to same cyberattack https://www.bleepingcomputer.com/news/security/louis-vuitton-says-regional-data-breaches-tied-to-same-cyberattack/
- 2025-06: Pandora confirms data breach amid ongoing Salesforce data theft attacks https://www.bleepingcomputer.com/news/security/pandora-confirms-data-breach-amid-ongoing-salesforce-data-theft-attacks/
- 2025-06: Google suffers data breach in ongoing Salesforce data theft attacks https://www.bleepingcomputer.com/news/security/google-suffers-data-breach-in-ongoing-salesforce-data-theft-attacks/
- 2025-06: Air France and KLM disclose data breaches impacting customers https://www.bleepingcomputer.com/news/security/air-france-and-klm-disclose-data-breaches-impacting-customers/
- 2025-07: BreachForums Resurfaces on Original Dark Web (.onion) Address https://hackread.com/breachforums-resurface-original-dark-web-onion-address/
- 2025-08: Updating: Two Telegram channels and two accounts banned, one bounty offered, and BreachForums goes down https://databreaches.net/2025/08/12/updating-two-telegram-channels-and-two-accounts-banned-one-bounty-offered-and-breachforums-goes-down/
Counter Operations
- 2022-06: Alleged member of ShinyHunters held in Morocco on Interpol Red Notice, U.S. seeking extradition https://www.databreaches.net/alleged-member-of-shinyhunters-held-in-morocco-on-interpol-red-notice-u-s-seeking-extradition-reports/
- 2023-09: French cybercriminal pleads guilty to fraud and aggravated identity theft for hacking private information https://www.justice.gov/usao-wdwa/pr/french-cybercriminal-pleads-guilty-fraud-and-aggravated-identity-theft-hacking-private
- 2024-01: ShinyHunters member gets 3 years in prison for breaching 60 firms https://www.bleepingcomputer.com/news/security/shinyhunters-member-gets-3-years-in-prison-for-breaching-60-firms/
- 2024-05: FBI seize BreachForums hacking forum used to leak stolen data https://www.bleepingcomputer.com/news/security/fbi-seize-breachforums-hacking-forum-used-to-leak-stolen-data/
- 2025-06: BreachForums hacking forum operators reportedly arrested in France https://www.bleepingcomputer.com/news/security/breachforums-hacking-forum-operators-reportedly-arrested-in-france/
Information
- https://www.zerofox.com/blog/shinyhunters-breach/
- https://www.bleepingcomputer.com/news/security/hacker-group-floods-dark-web-with-data-stolen-from-11-companies/
- https://www.zdnet.com/article/a-hacker-group-is-selling-more-than-73-million-user-records-on-the-dark-web/
- https://www.bleepingcomputer.com/news/security/hacker-leaks-386-million-user-records-from-18-companies-for-free/
- https://www.bankinfosecurity.com/anatomy-breach-criminal-data-brokers-hit-dave-a-14715
- https://www.bankinfosecurity.com/blogs/data-breaches-shinyhunters-dominance-continues-p-2998
- https://www.helpnetsecurity.com/2024/03/07/shinyhunters-group/
- https://unit42.paloaltonetworks.com/shinyhunters-ransomware-extortion/
- https://databreaches.net/2025/08/03/are-scattered-spider-and-shinyhunters-one-group-or-two-and-who-did-france-arrest/
- https://databreaches.net/2025/08/05/scattered-spider-is-not-quiet-theyre-just-under-another-name-now/
- https://databreaches.net/2025/08/08/shinyhunters-sent-google-an-extortion-demand-shiny-comments-on-current-activities/
- https://databreaches.net/2025/08/09/scattered-spider-has-a-new-telegram-channel-to-list-its-attacks/
- https://reliaquest.com/blog/threat-spotlight-shinyhunters-data-breach-targets-salesforce-amid-scattered-spider-collaboration/
Other Information
Uuid
92cc31c7-3c18-4ae2-9f9b-649b6cb029e1
Last Card Change
2025-08-16