Who are the ShinyHunters?

Cybercrime groups have become increasingly sophisticated, targeting some of the world’s largest organizations and exposing millions of users’ sensitive data. One of the most notorious groups in recent years is ShinyHunters, a financially motivated hacking collective linked to massive data breaches, extortion campaigns, and cloud-based attacks.

From the theft of hundreds of millions of customer records to sophisticated social engineering campaigns, ShinyHunters has repeatedly demonstrated how modern cybercriminals exploit weak security controls, third-party vendors, and cloud platforms.

Who is ShinyHunters?

ShinyHunters is a cybercrime group that first emerged publicly around 2020. The group quickly gained attention after leaking stolen databases from major companies and selling sensitive information on underground forums.

Unlike traditional ransomware gangs that encrypt systems, ShinyHunters is best known for:

• Data theft and exfiltration
• Extortion (“pay-or-leak”) attacks
• Credential theft
• Supply chain compromises
• Cloud and SaaS platform attacks
• Social engineering campaigns such as voice phishing (vishing)

Security researchers describe the group as decentralized, meaning it operates more like a loose network of cybercriminals than a formal organization. This structure makes the group difficult to dismantle because arrests of individual members rarely stop operations completely.

How ShinyHunters attacks organizations

Over time, the group’s tactics have evolved significantly. Early attacks focused on stealing databases from vulnerable systems. More recent operations involve highly targeted attacks against cloud services, third-party vendors, and employee authentication systems.

Credential theft attacks

One of the group’s most common techniques is stealing usernames, passwords, and authentication tokens. Attackers then use these credentials to access cloud platforms and internal business systems.

Many of these attacks succeed because organizations:

• Do not enforce multifactor authentication (MFA)
• Use weak passwords
• Reuse credentials across systems
• Fail to monitor suspicious login activity

According to security researchers, missing or weak MFA has been a recurring factor in many ShinyHunters-related breaches.

Example: The Ticketmaster breach

One of the group’s most widely publicized attacks involved Ticketmaster in 2024.

ShinyHunters claimed responsibility for stealing data associated with approximately 560 million users, including:

• Names
• Phone numbers
• Email addresses
• Billing information
• Partial payment data

The breach was reportedly linked to compromised cloud credentials connected to the cloud data platform Snowflake rather than a direct compromise of Ticketmaster itself.

The incident highlighted a growing cybersecurity concern: attackers increasingly target cloud environments and third-party services instead of directly attacking company infrastructure.

Go deeper: Hacking group claims it breached Ticketmaster and stole data for 560 million customers

Example: Santander and Snowflake-related attacks

Banco Santander was another high-profile victim associated with the Snowflake-related campaign.

Reports indicated that attackers accessed sensitive customer data through stolen credentials tied to cloud services. The campaign reportedly affected multiple organizations simultaneously, demonstrating how one compromised platform or vendor can create widespread risk across industries.

Go deeper: Santander Employee Data Breach Linked to Snowflake Attack

Supply chain and third-party attacks

ShinyHunters increasingly targets vendors, analytics platforms, and software providers to gain indirect access to customers.

These attacks are especially dangerous because organizations may have strong internal security while remaining vulnerable through trusted partners.

Example: The Anodot supply chain breach

In 2026, the group allegedly compromised Anodot, a third-party analytics company integrated with Snowflake environments.

By stealing authentication tokens, attackers reportedly gained access to customer environments connected to the platform. Several organizations were affected through this indirect compromise.

This attack demonstrated how:

• Third-party integrations expand the attack surface
• Compromised tokens can bypass traditional login protections
• Supply chain attacks can impact multiple organizations simultaneously

Go deeper: Third-party integration tool Anodot data breach hits Snowflake customers

Example: Rockstar Games extortion attack

Rockstar Games confirmed a 2026 breach tied to the Anodot-Snowflake incident. ShinyHunters allegedly accessed internal company data and threatened to leak it publicly unless a ransom was paid. Rockstar stated that no player accounts were affected, but the attack still created reputational and operational risks.

Go deeper: Rockstar confirms major third-party data breach

Pay-or-leak extortion attacks

ShinyHunters frequently uses a “pay-or-leak” strategy instead of deploying ransomware.

In a pay-or-leak attack:

1. Attackers steal sensitive data
2. The organization is threatened with public exposure
3. Criminals demand payment to prevent the leak

This model can be extremely effective because organizations fear:

• Regulatory penalties
• Reputational damage
• Customer lawsuits
• Loss of trust
• Competitive exposure

Example: Zara, Carnival, 7-Eleven, and Vimeo

In 2026, ShinyHunters allegedly targeted:

• Zara
• Carnival Corporation
• 7-Eleven
• Vimeo

The group reportedly threatened to leak millions of records unless ransom demands were met. These incidents showed how the group targets organizations across multiple sectors, including retail, hospitality, and transportation.

Go deeper:

• Zara, Carnival, 7-Eleven hit by ShinyHunters, 9M+ records at risk in “pay or leak” warning
• The Vimeo data breach exposed personal information of 119,000 people

Voice phishing (vishing) attacks

A newer tactic associated with ShinyHunters involves voice phishing, also known as vishing.

Instead of relying only on phishing emails, attackers call employees while pretending to be:

• IT support staff
• Help desk personnel
• Security teams
• Corporate administrators

Victims are then tricked into:

• Revealing passwords
• Approving MFA requests
• Visiting fake login portals
• Sharing authentication codes

Example: Okta and SSO campaigns

Security researchers linked ShinyHunters to voice phishing campaigns targeting enterprise single sign-on (SSO) platforms such as:

• Okta
• Microsoft Entra ID
• Google Workspace

These attacks reportedly enabled unauthorized access to SaaS applications and cloud environments.

Go deeper: ShinyHunters escalates tactics in extortion campaign linked to Okta environments

Industries targeted by ShinyHunters

The group has targeted organizations across numerous industries, including:

• Healthcare
• Retail
• Banking
• Telecommunications
• Hospitality
• Technology
• Gaming
• Education

Victims reportedly include:

• Ticketmaster
• Santander
• AT&T
• Rockstar Games
• SoundCloud
• Crunchbase
• Panera Bread
• Canvas/Instructure
• Marriott
• Microsoft
• Cisco

Why ShinyHunters is difficult to stop

Several factors make the group particularly challenging for law enforcement and organizations:

• Decentralized operations: The group does not appear to operate like a traditional company or hierarchical organization.
• Reliance on legitimate tools: Instead of malware alone, attackers frequently abuse:
  • Cloud credentials
  • SaaS integrations
  • Authentication tokens
  • Legitimate admin tools
• Social engineering effectiveness: Human error remains one of the weakest points in cybersecurity defenses.
• Third-party risk: Many attacks exploit trusted vendors and external platforms rather than directly targeting victims.

Lessons organizations can learn

The continued success of ShinyHunters highlights several important cybersecurity lessons:

Enforce phishing-resistant MFA

Traditional MFA methods, such as SMS codes, can still be bypassed through social engineering. Security experts increasingly recommend phishing-resistant authentication, such as:

• Passkeys
• Hardware security keys
• FIDO2 authentication

Monitor third-party integrations

Organizations should regularly review:

• Connected SaaS applications
• Vendor access permissions
• API tokens
• Cloud authentication activity

Train employees against social engineering

Security awareness training should include:

• Voice phishing scenarios
• MFA fatigue attacks
• Help desk impersonation attempts
• Credential theft techniques

Implement least-privilege access

Employees and vendors should only have access to the systems necessary for their roles.

Improve incident detection

Many organizations discover breaches only after stolen data appears online. Faster detection and response capabilities are critical.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQs

What is ShinyHunters?

ShinyHunters is a cybercriminal group known for large-scale data theft, extortion campaigns, credential theft, and cloud-related cyberattacks.

What kind of attacks does ShinyHunters perform?

The group has been linked to:

• Data breaches
• Credential theft
• Voice phishing
• Supply chain attacks
• Cloud account compromises
• Pay-or-leak extortion schemes

What is a pay-or-leak attack?

In a pay-or-leak attack, cybercriminals steal sensitive information and threaten to release it publicly unless the victim organization pays a ransom.

Why are cloud services often targeted?

Cloud platforms contain large amounts of centralized data and are often connected to multiple third-party applications, making them attractive targets for attackers.

How can organizations defend against these attacks?

Organizations can reduce risk by:

• Using phishing-resistant MFA
• Monitoring third-party vendors
• Training employees
• Restricting privileged access
• Improving threat detection and response systems