my-server
← Wiki

ShinyHunters

ShinyHunters is a black-hat criminal hacker and extortion group that is believed to have formed in 2019, and is said to have been involved in a significant amount of data breaches. The group has built a reputation of "pay or leak"; they often extort the company they've hacked, and if the company does not pay the ransom the stolen information is very often leaked or sold on the dark web.

ShinyHunters forged a cybercrime collective with Scattered Spider and Lapsus$ in 2025, which has created at least 16 Telegram channels since August 8, 2025.

Name and alias

The name of the group is believed to be derived from Shiny Pokémon, an aspect of the Pokémon video game franchise where Pokémon have a rare chance of being encountered in an alternate, "shiny" color scheme; players who actively try to collect such Pokémon through in-game strategies are often referred to as "shiny hunters".

Notable data breaches

2020

  • Mathway: In January 2020, ShinyHunters breached Mathway, stealing roughly 25 million users' data. Mathway is a popular math app for students that helps solve algebraic equations.
  • Tokopedia: On 2 May 2020 Tokopedia was breached by ShinyHunters, which claimed to have data for 91 million user accounts, revealing users' gender, location, username, full name, email address, phone number, and hashed passwords.
  • Wishbone: Also in May 2020, ShinyHunters leaked the full user database of Wishbone, which is said to contain personal information such as usernames, emails, phone numbers, city/state/country of residence, and hashed passwords.
  • Microsoft: In May 2020, ShinyHunters also claimed to have stolen over 500 GB of Microsoft source code from the company's private GitHub account. The group published around 1GB of data from the hacked GitHub account to a hacking forum. Some cybersecurity experts doubted the claims until analyzing the code; upon analysis, ShinyHunters' claims were no longer in question. Microsoft told Wired in a statement that they are aware of the breach. Microsoft later secured their GitHub account, which was confirmed by ShinyHunters as they reported being unable to access any repositories.
  • Wattpad: In July 2020, ShinyHunters gained access to the Wattpad database containing 270 million user records. Information leaked included usernames, real names, hashed passwords, email addresses, geographic location, gender, and date of birth.
  • Pluto TV: In November 2020, it was reported that ShinyHunters gained access to the personal data of 3.2 million Pluto TV users. The hacked data included users' display names, email addresses, IP addresses, hashed passwords and dates of birth.
  • Animal Jam: It was also reported in November 2020 that ShinyHunters was behind the hack of Animal Jam, leading to the exposure of 46 million accounts.
  • Mashable: In November 2020, ShinyHunters leaked 5.22GB worth of the Mashable database on a prominent hacker forum.

2021

  • Pixlr: In January 2021, ShinyHunters leaked 1.9 million user records from Pixlr.
  • Nitro PDF: In January 2021, a hacker claiming to be a part of ShinyHunters leaked the full database of Nitro PDF — which contains 77 million user records — on a hacker forum for free.
  • Bonobos: In January 2021 it was reported that ShinyHunters leaked the full Bonobos backup cloud database to a hacker forum. The database is said to contain the address, phone numbers, and order details for 7 million customers; general account information for another 1.8 million registered customers; and 3.5 million partial credit card records and hashed passwords.
  • AT&T Wireless: In 2021, ShinyHunters began selling information on 70 million AT&T wireless subscribers, which contained users' phone numbers, personal information and social security numbers. AT&T acknowledged the data breach in 2024.
  • Aditya Birla Fashion and Retail: In December 2021, Indian retailer Aditya Birla Fashion and Retail was breached and ransomed. The ransom demand was allegedly rejected and data containing 5.4 million unique email addresses were subsequently dumped publicly on a popular hacking forum the next month. The data contained extensive personal customer information including names, phone numbers, physical addresses, birth dates, order histories and passwords stored as MD5 hashes

2023

  • Pizza Hut Australia: In September 2023, ShinyHunters claimed to have more than 1 million customer data and 30 million order records of Pizza Hut Australia compromised. Pizza Hut Australia later acknowledged and confirmed the data breach.

2024

  • AT&T Wireless (again, 2): In April 2024, the ShinyHunters cyber criminal group hacked AT&T Wireless and stole data on over 110 million customers. In May, AT&T paid a $370,000 ransom to one of the group's members to delete the data.
  • Santander: On May 30, 2024, Santander was breached by ShinyHunters, which resulted in all Santander staff and '30 million' customers in Spain, Chile and Uruguay compromised.
  • Ticketmaster: The ShinyHunters cybercriminal group have claimed responsibility for breaching Ticketmaster via the Snowflake campaign.
  • PowerSchool: In December 2024, education-software vendor PowerSchool was breached; the attacker demanded $2.85 million and the company paid a ransom to prevent release of stolen student/teacher data. In early May 2025, new extortion emails began hitting individual school districts that were customers of PowerSchool, with outlets reporting attempts to leverage the stolen data from an earlier, unrelated first PowerSchool breach (Sep 2024) identified by CrowdStrike. One message shared with DataBreaches.net opened, "Hello, we are ShinyHunters," demanding payment from North Carolina authorities, though the publication cautioned it could not authenticate the sender's identity. Bleeping Computer likewise reported that someone claiming to be ShinyHunters was extorting districts/customers of PowerSchool, while a person identifying as the group's leader told the outlet the culprit was an affiliate impersonating them.

2025

  • Legal Aid Agency (U.K. Ministry of Justice): The Ministry of Justice disclosed on 22 May 2025 (updated 4 September 2025) that the Legal Aid Agency (LAA) suffered a cyber incident affecting applicants who used its digital service from 2007 until systems were taken offline on 16 May 2025; the MoJ has not named a culprit and says investigations are ongoing. In August 2025, multiple outlets reported that a group using the ShinyHunters name posted on Telegram (Scattered LAPSUS$ Hunters ) claiming responsibility and threatening to leak LAA data unless a member was freed; The Times and The Law Society Gazette covered the claim while noting authorities had not verified the posts and that the deadline passed without a leak.
  • LVMH (Louis Vuitton, Dior, Tiffany & Co.): In mid-2025, luxury conglomerate LVMH confirmed that several of its brands – including Louis Vuitton, Dior, and Tiffany & Co. – experienced unauthorized access to a customer information database managed by a third-party platform. While each subsidiary disclosed limited details (Tiffany & Co.'s Korean unit noted a "vendor platform" was breached), investigators later tied these incidents to the ShinyHunters Salesforce data-theft campaign. The threat actors privately extorted the firms via email (using the ShinyHunters name) and were ultimately identified as part of the UNC6040/UNC6240 clusters described by Google.
  • Google: On June 4, 2025, Google Threat Intelligence Group (GTIG) reported on UNC6040, a cluster of voice-phishing campaigns targeting organizations' Salesforce instances. The attackers used modified versions of Data Loader to export Salesforce data and subsequently extort the victims. GTIG attributed the activity to ShinyHunters. According to DataBreaches.net, ShinyHunters have merged with Scattered Spider. On August 5, 2025, Google confirmed that a corporate Salesforce instance of Google's containing contact information and notes for small and medium-sized businesses had been compromised by UNC6040/ShinyHunters activity.
  • Qantas: In July 2025, Australian airline Qantas suffered a cyberattack that exposed data of approximately 5.7 million customers. Initially attributed to Scattered Spider by multiple professional security researchers and journalists. Later confirmed to be the work of the ShinyHunters cybercriminal group. According to DataBreaches.net and many others journalists/security researchers, ShinyHunters have merged with Scattered Spider.
  • Jaguar Land Rover: On September 2, 2025, Jaguar Land Rover (JLR) disclosed a cyber incident and proactively shut down systems, causing severe disruption to production and retail operations. In the days that followed, outlets reported that a ShinyHunters/Scattered Spider–aligned collective claimed responsibility; JLR said there was no evidence of customer data theft at that time and notified the UK ICO.
  • Kering: In September 2025, ShinyHunters was linked to a major data breach affected Kering, the French luxury goods group that owns brands such as Gucci, Balenciaga, and Alexander McQueen. ShinyHunters claimed to have stolen personal data from Balenciaga, Gucci, Brioni, and Alexander McQueen. The group claimed they compromised 43,483,137 million records exclusively from Gucci and approximately 7.4 million unique customer records across Balenciaga, Brioni, and Alexander McQueen. The data included not limited to, names, email addresses, phone numbers, physical addresses, and total spend amounts from luxury store purchases. Kering confirmed the incident, stating that an unauthorized third party accessed limited customer information and that no financial data (such as credit card or bank info) was compromised. ShinyHunters reportedly attempted to extort the company flowing the breach, which was identified in June 2025 and publicly disclosed months later.
  • University of Pennsylvania (Penn): In November 2025, hackers associated with the ShinyHunters cyber crime organization targeted Penn in which it experienced a significant data breach, likely affecting over 1 million individuals, including students, alumni, and donors.
  • Princeton University: In November 2025, hackers associated with the ShinyHunters cyber crime organization targeted Princeton University.
  • Harvard University: In late November 2025, hackers associated with the ShinyHunters cyber crime organization targeted Harvard University.
  • Pornhub: In December 2025, ShinyHunters claimed responsibility for the Pornhub breach affected by the Mixpanel campaign. ShinyHunters claimed 94 GB of historical analytics data containing over 200 million records of Pornhub users email addresses, search history, watch/download activity, location data, and video metadata. ShinyHunters attempted to extort the company with threats of public release. Pornhub stated the incident stemmed from a third-party analytics service Mixpanel and that no passwords or financial information were compromised.
  • Soundcloud: In December 2025, ShinyHunters was linked to a SoundCloud breach that exposed personal information tied to roughly 29.8 million user accounts (about 20% of platforms user base), including email addresses, usernames, avatars, follower count and locations. ShinyHunters allegedly accessed data via an ancillary service dashboard, and following attempted extortion the compromised records were reportedly published, underscoring the group's continued focus on large-scale data theft and ransom-or-release tactics.

2026

  • Panera Bread: January 2026, involved around 5 million people (14 million records) with leakage to the dark web; the group exploited a Microsoft Entra SSO installation.
  • Figure Technology Solutions: In February 2026, Figure suffered a data breach that involved around 1 million people records being stolen and affected with leakage to the dark web; yet another breach in the ShinyHunters Okta SSO campaign.
  • Wynn Resorts: In February 2026, Wynn Resorts was targeted by the cyber-extortion group ShinyHunters, who claimed to have stolen over 800,000 customer records and employee data from the company's systems.
  • Odido: February 2026, involved around 6 million people (21 million records) with leakage to the dark web.

Snowflake data hacks

In 2024, The ShinyHunters cybercriminal group claimed to have hacked Snowflake-related customers including Ticketmaster, Santander Bank, Neiman Marcus, and many others. The group was also responsible for publishing data stolen from Twilio and Truist Bank.

Salesforce data hacks

Round 1

In June 4, 2025, ShinyHunters was tied to a widespread data-theft campaign targeting Salesforce cloud customers, which Google's Threat Intelligence team tracked as UNC6040. The cybercriminal group working in conjunction with Scattered Spider (now believed to be the same group) and Lapsus$ (also now believed to be the same group or a part of) impersonated IT support staff and used voice phishing (vishing) calls to trick employees into installing a malicious version of Salesforce's Data Loader tool, allowing them to access and extract sensitive customer data by abusing OAuth to bypass traditional authentication methods. Following the successful intrusions, Google's Threat Intelligence team notes the victims of these intrusions receive an extortion or ransom email from the ShinyHunters cybercriminal group, which is also tracked as UNC6240.

This sophisticated social engineering approach led to confirmed data breaches at major companies including Google, Cisco, Adidas, Qantas, Allianz Life, Farmers Insurance Group, Workday, Pandora, Chanel, TransUnion, LVMH subsidiaries, including but not limited to Dior, Louis Vuitton, and Tiffany & Co. It is believed that a lot more victims have been impacted from this campaign, public disclosures are still impending.

Round 2

Shortly after, in August 28, 2025, another campaign tracked by Google Threat Intelligence (formerly Mandiant) as UNC6395 used OAuth/refresh tokens stolen from Salesloft's Drift integration to access numerous Salesforce customer orgs between August 8–18, 2025, systematically exporting CRM data and hunting for credentials (e.g., AWS access keys, passwords, Snowflake tokens). Google told reporters it was aware of over 700 potentially impacted organizations. Public disclosures tied to this campaign include Cloudflare, Workiva, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Rubrik, Cato Networks, and Palo Alto Networks, each confirming unauthorized access to data in their Salesforce environments following the Salesloft/Drift compromise. The ShinyHunters cybercriminal group claimed responsibility to the press.

On September 17, 2025, BleepingComputer was able to confirm ShinyHunters was behind the UNC6395 campaign, the biggest SaaS compromise in history. ShinyHunters told BleepingComputer that the threat actors used the TruffleHog security tool to scan the source code for secrets, which resulted in the finding of OAuth tokens for the Salesloft Drift and the Drift Email platforms. Using these stolen Drift OAuth tokens, ShinyHunters told BleepingComputer that the threat actors stole approximately 1.5 billion data records for 760 companies from the "Account", "Contact", "Case", "Opportunity", and "User" Salesforce object tables.

Round 3

Three months later, in November 20, 2025, once again, another campaign tracked by Google Threat Intelligence Group (formerly Mandiant) as UNC6395-adjacent actors known as ShinyHunters used OAuth/refresh tokens stolen from Gainsight Salesforce integration to access numerous customer instances.

Salesforce publicly reported detecting unusual activity related to applications published by Gainsight that were connected to its platform, leading Salesforce to revoke OAuth access and refresh tokens and temporarily remove related applications from its AppExchange while the investigation was ongoing.

The security incident bore extreme similarity to an earlier ShinyHunters-linked Salesloft Drift breach in August 2025, in which attackers stole OAuth tokens from the Salesloft integration known as Drift, enabling unauthorized access and data theft exfiltration of 760 customer Salesforce instances.

According to external reporting and industry analysis in a statement, Austin Larsen, the principal threat analyst of Google Threat Intelligence Group (formerly Mandiant), said that the company "is aware of more than 200 potentially affected Salesforce instances." Which lined up with what ShinyHunters told several media outlets specifically 285 Salesforce instances. The hacking group claimed responsibility for hacks affecting Atlassian, Docusign, F5, GitLab, Linkedin, Malwarebytes, SonicWall, Thomson Reuters, Verizon, and more.

Mixpanel data hacks

In November 2025, the ShinyHunters cybercriminal group was linked to a third-party analytics breach at Mixpanel. It affected multiple high-profile companies including Pornhub and OpenAI.

Threat actors exploited a smishing-based compromise of Mixpanel systems, resulting in the export of analytics-related datasets belonging to several customers. ShinyHunters subsequently leveraged this access to extort organizations, claiming to possess analytics records tied to platforms such as Pornhub's Premium service and, indirectly, data associated with OpenAI's API user interactions.

Both OpenAI and Pornhub confirmed that this breach was not a result of their own systems compromised but rather the third-party analytics breach at Mixpanel. Since then OpenAI does not use the analytics provider anymore.

Okta/SSO data hacks

In January 2026, ShinyHunters was linked by multiple media and threat-intelligence firms to a series of social-engineering campaigns targeted enterprise single sign-on (SSO) environments, including Okta. The attacks relied on voice-phishing ("vishing") and credential-harvesting infrastructure rather than exploitation of vulnerabilities in Okta's software, according to Okta and multiple security researchers.

According to a report by BleepingComputer, the ShinyHunters group claimed responsibility for a wave of voice-phishing ("vishing") campaigns that tricked employees into divulging their SSO credentials and multi-factor authentication codes. These credentials were subsequently used to access enterprise SSO dashboards and harvest data from connected software-as-a-service (SaaS) platforms for extortion purposes.

Okta itself publicly warned of active attacks in which threat actors used custom phishing kits and voice-based social engineering to steal SSO credentials, including Okta logins, and abuse those credentials to access cloud applications and exfiltrate data. Okta noted that these attacks did not exploit inherent vulnerabilities in its products, but instead leveraged sophisticated phishing techniques against individual users.

Threat-intelligence analysis published by Google Cloud's Threat Intelligence Group (formerly Mandiant) described how activity consistent with prior ShinyHunters-branded operations involved targeted voice-phishing and credential harvesting sites aimed at capturing SSO logins and MFA tokens. Once obtained, attackers could use the compromised SSO access to move laterally into applications such as Salesforce, Microsoft 365, and other enterprise services and then exfiltrate sensitive data. The analysis noted that some of the campaigns overlapped with ShinyHunters-branded activity tracked under multiple threat clusters.

This ongoing, highly active data theft campaign, as described by Charles Carmakal, CTO of Mandiant at Google Cloud, employs a very sophisticated social engineering approach that has led to data breaches at major companies including but not limited to University of Pennsylvania, Princeton University, Harvard University, Grubhub, Crunchbase, Betterment, Panera Bread, Match Group, Tinder, Hinge, OkCupid, Bumble Inc, Odido, and Wynn Resorts. It is believed that a lot more victims have been impacted from this campaign, public disclosures are still impending.

According to a report by Silent Push, previously founded by FireEye, former owners of Mandiant, the ShinyHunters group and their broader collective "Scattered LAPSUS$ Hunters" ("SLH" / "SLSH") are actively targeting over 100 high-profile organizations in this campaign.

Other data breaches

The following are other hacks that have been credited to or allegedly done by ShinyHunters. The estimated impacts of user records affected are also given, if possible.

totalling 1,798,509,000 not accounting for duplicate records between the above mentioned data breaches.

Lawsuits

ShinyHunters group is under investigation by the FBI, the Indonesian police, and the Indian police for the Tokopedia breach. Tokopedia's CEO and founder also confirmed this claim via a statement on Twitter.

Minted company reported the group's hack to US federal law enforcement authorities; the investigation is underway.

Administrative documents from California reveal how ShinyHunters' hack has led to Mammoth Media, the creator of the app Wishbone, getting hit with a class-action lawsuit.

Animal Jam stated that they are preparing to report ShinyHunters to the FBI Cyber Task Force and notify all affected emails. They have also created a 'Data Breach Alert' on their site to answer questions related to the breach.

BigBasket filed a First Information Report (FIR) on November 6, 2020, to the Bengaluru Police to investigate the incident.

Dave also initiated an investigation against the group for the company's security breach. The investigation is ongoing and the company is coordinating with local law enforcement and the FBI.

Wattpad stated that they reported the incident to law enforcement and engaged third-party security experts to assist them in an investigation.

Following the ransomware attack on Jaguar and Land Rover, which M&S hackers claimed responsibility for as first reported by the Telegraph, also linked to the groups Scattered Spider and ShinyHunters, the National Cyber Security Centre, part of GCHQ, is understood to be monitoring the situation.

Arrests

In May 2022, Sébastien Raoult, a French programmer suspected of belonging to the group, was arrested in Morocco and extradited to the United States. He faced 20 to 116 years in prison.

In January 2024 Raoult was sentenced to three years in prison and ordered to return five million dollars. Twelve months of the sentence are for conspiracy to commit wire fraud and the remainder for aggravated identity theft. He will face 36 months of supervised release afterwards. Raoult had worked for the group for more than two years according to the US Attorney's Office for the Western District of Washington, but was not a major player within the group.

In May–June 2025, U.S. prosecutors in the District of Massachusetts charged Matthew D. Lane, a 19-year-old Massachusetts student, with hacking and extorting an education-technology provider widely reported to be PowerSchool; prosecutors said Lane used stolen contractor credentials to access the company's network in 2024, exfiltrate data on tens of millions of students and teachers, and demand a $2.85 million bitcoin ransom. Lane agreed to plead guilty on May 20, 2025, and entered a guilty plea on June 6, 2025.

On June 25, 2025, French authorities announced that four members of the ShinyHunters cyber criminal group were arrested in multiple French regions for cyber crime activities. The coordinated global law enforcement effort targeting the 'ShinyHunters', 'Hollow', 'Noct', and 'Depressed' aliases.

It is believed that the French have arrested an affiliate of the ShinyHunters cyber criminal group and not the ring leader, as they are still active.

References