Key Takeaways
- ShinyHunters has been active since 2020 and has stolen data from well over a billion people across hundreds of companies spanning every major industry.
- Their attack methods have evolved from database theft to sophisticated voice phishing, OAuth abuse, and supply chain breaches through third-party cloud providers.
- Missing or weak MFA remains the single most common factor in their successful intrusions. It shows up in breach after breach.
- The group operates like a loose, decentralized network, not a fixed team. Arrests slow them down temporarily. Operations resume.
- Victims often do not find out about a breach until the data shows up for sale online, sometimes months or years after the initial access.
ShinyHunters Explained: The Group Behind the World’s Biggest Data Breaches
In May 2024, 560 million Ticketmaster customers had their personal data listed for sale on a dark web forum. The asking price: $500,000. The seller: a group called ShinyHunters. That single breach represented one of the largest exfiltrations of customer data in history. And it was not even close to their only one.
ShinyHunters first appeared in early May 2020 and in just two weeks offered for sale on the dark web over 200 million user records stolen from a number of companies. Six years later, they are still active, still breaching major organizations, and still evolving their methods.
This article covers who they are, every major breach they have been linked to, and what organizations can do about it.
Where Did ShinyHunters Come From?
ShinyHunters is a black-hat criminal hacker and extortion group believed to have formed in 2019. The name comes from competitive Pokémon players who hunt for rare color variants of in-game characters. The group borrowed it and applied the same obsessive targeting approach to corporate databases.
Their model from day one has been simple: steal data, demand payment, and publish or sell if the company refuses. Payment does not guarantee data deletion. Multiple organizations that paid the ransom subsequently found their data published anyway. The group’s reputation for non-compliance with its own terms maintains fear without creating a reliable enough track record that future victims feel confident paying.
Who Is Actually Behind the Name?
ShinyHunters does not appear to be a fixed crew. Researchers describe it as more of a brand than a closed group. Up to this moment, ShinyHunters’ real identity remains unknown. It is also unclear whether it involves one threat actor, or multiple hackers working together. Cybersecurity researchers believe that ShinyHunters might have ties to GnosticPlayers, a well-known hacking group said to have leaked over a billion user records.
The group overlaps significantly with Scattered Spider, also tracked under the names 0ktapus, Muddled Libra, and Starfraud, a financially motivated threat group that uses identical social engineering methodology and frequently operates in coordination with ShinyHunters-affiliated actors.
Multiple arrests over the years have not stopped operations. As numerous threat actors tied to ShinyHunters have been arrested over the past three years, it is unclear if this is the original group or other threat actors claiming to be them to throw off law enforcement.
Every Major ShinyHunters Breach, Year by Year
ShinyHunters, Year by Year
From a debut spree of dating apps and meal kits to coordinated voice-phishing of the Fortune 500 — a chronological view of the group’s confirmed and attributed breaches.
A standing start. 500M+ records exposed across more than a dozen companies in a single year, mostly via stolen database dumps sold on dark-web forums.
First confirmed target — a math app used by students. ~25M user records taken.
Indonesia’s largest e-commerce platform (90M) and India’s Unacademy (10M), alongside Zoosk, HomeChef, Mindful, Chatbooks and Minted — all listed for sale within two weeks.
200M+ records · 2 weeksDatabase with 270M user records: usernames, real names, hashed passwords, emails, location, gender, date of birth.
270M recordsBigBasket data sold for $40,000; 46M Animal Jam records and 3.2M Pluto TV records leaked alongside a 5.22GB Mashable dump.
The group moves from app databases to infrastructure-grade leaks — PDF tooling, retail backups, and a wireless carrier’s subscriber list that wouldn’t be acknowledged for three more years.
Nitro PDF’s 77M-record database leaked in full. Bonobos’ backup cloud exposed addresses, phone numbers, and 3.5M partial credit-card records.
70M subscriber records — phone numbers, PII, social security numbers — listed for sale. AT&T did not acknowledge the breach until 2024.
70M records · 3-year delay to disclosureRansom rejected; 5.4M unique email addresses dumped publicly.
–23
An arrest proves operations are resilient, not centralized. The brand continues to ship breaches while one of its members is extradited.
French national arrested in Morocco, extradited to the U.S. Sentenced January 2024 to three years and ordered to repay $5M.
Over 1M customer records and 30M order records taken; the company later confirmed the breach.
From well-known to impossible to ignore. ~160 organizations targeted through misconfigured Snowflake environments, accessed via credential stuffing and a supply-chain breach of EPAM Systems.
Personal data for 560M customers listed for sale at $500,000 — one of the largest customer-data exfiltrations on record.
560M records · $500K asking price110M wireless customers (AT&T) and 30M Santander customers across Chile, Spain and Uruguay among the named victims of the Snowflake campaign.
~160 orgs targetedData on 62.4M students and 9.5M teachers across 6,505 school districts in the U.S., Canada and elsewhere.
The playbook shifts to voice phishing and SaaS supply chains. A sweeping Salesforce campaign rolls up enterprise giants and luxury houses alike.
Google, Adidas, Cisco, Qantas, Allianz Life and LVMH subsidiaries — Louis Vuitton, Dior, Tiffany & Co. — all impacted by a coordinated CRM-platform campaign.
Smishing against Mixpanel employees exposed historical analytics tied to multiple companies; OpenAI confirmed its API users were affected.
Approximately 5.7M customer records exposed.
Systems associated with the institution compromised.
Roughly 29.8M user accounts exposed — about 20% of the platform’s user base.
29.8M users · ~20% of platformBy April, ShinyHunters has hit at least 15 companies in four months, with 50M+ records confirmed leaked. Targets now span food delivery, dating apps, fast fashion, and home security.
Combined extortion against Grubhub; Panera breach via a Microsoft Entra SSO installation — ~5M people, 14M records leaked.
Hinge, Bumble and OkCupid named alongside Betterment (1.4M accounts), Figure, Canada Goose, UPenn and Harvard.
5.5M individuals’ data taken after an employee’s Okta SSO account was compromised via a voice-phishing call — used to pivot into the company’s Salesforce instance.
5.5M individuals · Vishing → Okta → SalesforceCarnival Corporation alone: 8.7M+ records, including PII and internal data. Pitney Bowes, Canada Life, Aman Resorts and Marcus & Millichap also exposed.
How They Get In
Stolen credentials & infostealers
Old passwords surface in logs, get tried against SaaS portals with no MFA, and work. The dominant 2024 method.
Voice phishing (vishing)
A call that sounds like IT support. A fake portal to “update MFA.” The employee hands over the codes. The dominant method from 2025 on.
OAuth abuse & misconfigurations
Public-facing Salesforce Experience Cloud sites with over-permissioned guest users — queried via a modified AuraInspector tool. No credentials needed.
Supply-chain pivots
Vendors you trust become the entry point. EPAM in 2024. Mixpanel in 2025. Anodot in the 2026 Rockstar incident.
This is the most complete public record of confirmed and attributed ShinyHunters breaches available. The scope is staggering.
2020: The Debut Year
Mathway: In January 2020, ShinyHunters breached Mathway, stealing roughly 25 million users’ data. A math app used by students was their first confirmed target.
In early May, ShinyHunters claimed credit for stealing over 90 million customer data records from Tokopedia, Indonesia’s largest e-commerce platform. During the same period, they claimed the theft of over 10 million user accounts from the Indian education platform Unacademy.
Their Stage 1 campaign hit the dating app Zoosk (30 million users), meal kit company HomeChef (8 million), wellness site Mindful (2 million), photo printing service Chatbooks (15 million), and design marketplace Minted (5 million).
In July 2020, ShinyHunters gained access to the Wattpad database containing 270 million user records, including usernames, real names, hashed passwords, email addresses, geographic location, gender, and date of birth.
In November 2020, the group compromised the database of Indian online grocery store BigBasket, resulting in the information of over 20 million customers being sold on the dark web for $40,000. ShinyHunters was also responsible for leaking 46 million user records from the popular kids game Animal Jam, and 3.2 million user records from Pluto TV. That same month, they leaked 5.22GB of the Mashable database on a prominent hacker forum.
Total 2020 confirmed exposure: well over 500 million records across more than a dozen companies.
2021: Scaling Up
In January 2021, ShinyHunters published 1.9 million records stolen from photo editing service Pixlr.
Also in January 2021, ShinyHunters leaked the full database of Nitro PDF, which contains 77 million user records. They also leaked the full Bonobos backup cloud database containing address, phone numbers, and order details for 7 million customers, general account information for another 1.8 million registered customers, and 3.5 million partial credit card records and hashed passwords.
In 2021, ShinyHunters began selling information on 70 million AT&T wireless subscribers, containing users’ phone numbers, personal information, and social security numbers. AT&T acknowledged the data breach in 2024.
In December 2021, Indian retailer Aditya Birla Fashion and Retail was breached and ransomed. The ransom demand was allegedly rejected, and data containing 5.4 million unique email addresses were subsequently dumped publicly.
2022 to 2023: Arrests and Continued Operations
In May 2022, French national Sébastien Raoult was arrested in Morocco and extradited to the United States. In January 2024, Raoult was sentenced to three years in prison and ordered to return five million dollars. He had worked for the group for more than two years according to the US Attorney’s Office for the Western District of Washington.
In September 2023, ShinyHunters claimed to have compromised Pizza Hut Australia, obtaining over 1 million customer records and 30 million order records. Pizza Hut Australia later confirmed the breach.
2024: The Snowflake Campaign
This is the year ShinyHunters went from well-known to impossible to ignore.
In mid-2024, at least 160 organizations were targeted through vulnerabilities in how their Snowflake environments were configured and accessed. Affected companies included AT&T, Ticketmaster/Live Nation, Santander Bank, LendingTree, Advance Auto Parts, Neiman Marcus, and Bausch Health.
ShinyHunters gained access to these Snowflake accounts via credential stuffing and a supply chain breach of EPAM Systems. They breached an EPAM employee’s computer, installed a remote access trojan, and identified customers’ Snowflake credentials stored unencrypted inside Jira.
High-profile victims included Ticketmaster with over 560 million records exposed, AT&T with 110 million wireless customer records, and Santander with 30 million customers across Chile, Spain, and Uruguay.
ShinyHunters has also been linked to the massive PowerSchool data breach where data was stolen for 62.4 million students and 9.5 million teachers for 6,505 school districts across the U.S., Canada, and other countries.
2025: Salesforce, Mixpanel, and the Luxury Sector
The group’s most ambitious campaign surfaced in 2025, with a sweeping attack against Salesforce CRM platforms. This campaign impacted global enterprises including Google, Adidas, Cisco, Qantas Airways, Allianz Life, and LVMH subsidiaries including Louis Vuitton, Dior, and Tiffany and Co.
ShinyHunters breached Mixpanel, a third-party analytics provider, through a smishing attack against Mixpanel employees. The exfiltrated data included historical analytics records tied to multiple companies, with OpenAI confirming its API users were affected.
In July 2025, a cyberattack attributed to ShinyHunters exposed data belonging to approximately 5.7 million customers of Australian airline Qantas. In November 2025, hackers linked to ShinyHunters targeted Harvard University, compromising systems associated with the institution. In December 2025, ShinyHunters was linked to a breach of SoundCloud that exposed personal data from roughly 29.8 million user accounts, representing about 20 percent of the platform’s user base.
The group listed 39 companies on their leak site as extortion targets, including FedEx, Disney and Hulu, Google, Cisco, Toyota, Marriott, Home Depot, and Adidas.
2026: Still Going
In January 2026, several Grubhub data breach incidents were linked to ShinyHunters in a targeted combined extortion. Also in January 2026, Panera Bread was breached, involving around 5 million people and 14 million records leaked to the dark web. The group exploited a Microsoft Entra SSO installation.
Confirmed victims in the early 2026 campaign include Harvard, UPenn, Panera Bread, Match Group including Hinge, Bumble, and OkCupid, Betterment with 1.4 million accounts, SoundCloud with 29.8 million users, Crunchbase, Figure, Canada Goose, and more.
In April 2026, ShinyHunters stole the personal information of 5.5 million individuals after breaching home security giant ADT through an employee’s compromised Okta single sign-on account via a voice phishing attack. This access allowed the attackers to steal data from the company’s Salesforce instance.
ShinyHunters’ most recent targets also include fast fashion giant Zara, convenience store chain 7-Eleven, and cruise line operator Carnival Corporation. Carnival had over 8.7 million records stolen, including customer PII and internal data. Pitney Bowes, Canada Life Assurance Company, Aman Resorts, and Marcus and Millichap were also exposed as part of the group’s Salesforce-focused infiltration campaign.
How ShinyHunters Actually Gets In
Their methods have shifted over time, but one thread runs through almost every breach.
Stolen Credentials and Infostealer Malware
This was the primary method in 2024. The affected Snowflake accounts lacked multi-factor authentication, which allowed the attackers to log in as if they were a legitimate, trusted user. Some of the credentials used in the campaign had been compromised a year prior. Old passwords. No MFA. That combination is practically an open door.
Voice Phishing (Vishing)
This became the dominant approach from 2025 onward. These operations primarily leverage sophisticated voice phishing and victim-branded credential harvesting sites to gain initial access to corporate environments by obtaining single sign-on credentials and multi-factor authentication codes. Once inside, the threat actors target cloud-based SaaS applications to exfiltrate sensitive data and internal communications for use in subsequent extortion demands.
An employee gets a call. The caller sounds like IT support. They ask the employee to log into a fake portal to update their MFA settings. The employee hands over their login. That is enough.
OAuth App Abuse and Salesforce Misconfigurations
In the 2026 Salesforce campaign, ShinyHunters systematically scanned publicly accessible Salesforce Experience Cloud sites for misconfigured guest user permissions. Using a modified version of the legitimate AuraInspector tool, they queried CRM data through exposed API endpoints without authentication.
No stolen credentials needed. Just a misconfigured guest user permission in Salesforce Experience Cloud—a setting that’s notoriously easy to overlook in complex CRM environments and rarely audited in real-time.
Supply Chain Attacks
The April 2026 Rockstar breach used Anodot, a cloud analytics provider, as the entry point. Compromised connectors gave attackers a backdoor into the data warehouse. The attack unfolded over a 10-day window and exposed fundamental weaknesses in third-party cloud security.
They do not always come for you directly. Sometimes they come through a vendor you trust.
How Secure.com Helps You Stay Ahead of Groups Like ShinyHunters
ShinyHunters wins because most organizations do not find out they have been breached until the data is already for sale. Secure.com is built to close that gap.
Secure.com’s Digital Security Teammates monitor your environment around the clock, augmenting your team’s ability to catch threats before they turn into headlines.
Here is what that looks like in practice:
- Continuous monitoring of connected SaaS apps and cloud integrations for unauthorized access, with real-time alerts when credentials are compromised or unusual login behavior is detected.
- Automated detection of over-permissioned accounts and risky OAuth connections, with findings routed to your team for review and action.
- Threat intelligence enrichment that flags credential exposure tied to known groups like ShinyHunters.
- 24/7 monitoring that augments your team’s capacity, ensuring critical signals are surfaced even outside business hours.
ShinyHunters is not waiting for business hours. Neither is Secure.com.
Conclusion
ShinyHunters did not stay in a lane. They started with basic database theft, evolved into supply chain attacks, built ransomware-as-a-service infrastructure, and are now running coordinated voice phishing campaigns against Fortune 500 companies. The target list spans e-commerce, airlines, banks, universities, luxury brands, food delivery apps, home security companies, and government-adjacent institutions.
The one thing that has not changed is the vulnerability they keep exploiting: organizations that assume their perimeter is secure while leaving their identities, SaaS configurations, and third-party integrations unmonitored and unmanaged.
ShinyHunters has hit at least 15 companies since January 2026 alone, with over 50 million records confirmed leaked. More are coming. If you want to understand your exposure before a group like ShinyHunters finds it first, that is exactly what Secure.com’s Digital Security Teammates are built for—continuous asset discovery, real-time misconfiguration detection, and automated threat correlation that keeps your team ahead of evolving attack methods.
FAQs
Are ShinyHunters still active in 2026?
Yes. In 2026, ShinyHunters executed another widespread data theft of Snowflake-related customers through the third-party integrator Anodot. Snowflake confirmed the incident and is actively notifying potentially impacted customers. The group also hit ADT, Panera, Carnival Corporation, Zara, and multiple other organizations in the same year.
How does ShinyHunters get access to company data?
They use a combination of stolen passwords, infostealer malware, voice phishing calls, misconfigured SaaS permissions, and supply chain breaches. ShinyHunters starts by identifying companies using Microsoft Office 365, looks for GitHub authorization tokens stored insecurely, and then identifies research and development employees to target in further attacks.
Why do companies keep getting breached the same way?
The Ticketmaster breach and related incidents underscore the importance of adopting a Zero Trust architecture. Organizations continue to neglect integrating SaaS application security into their overall security strategies, leaving static credentials exposed to attackers.
What happens after ShinyHunters steals data?
ShinyHunters employs a delayed extortion model. After exfiltrating data, ransom demands ranging from $400,000 to $2.3 million are issued weeks later. If the company refuses to pay, the data gets published or sold on hacker forums. And as noted, even companies that paid have later found their data leaked anyway.
How can I check if my data was exposed in a ShinyHunters breach?
The most reliable tool is Have I Been Pwned at haveibeenpwned.com. Enter your email address and the site will show you which confirmed breaches your data has appeared in. Several ShinyHunters breaches are now indexed there, including SoundCloud with 29.8 million accounts and Panera Bread with 5.1 million email addresses confirmed.
