The threat actor group ShinyHunters has allegedly released data tied to multiple organizations, including Carnival Corporation, Zara, 7-Eleven, Pitney Bowes, and others, marking a significant escalation in an ongoing extortion campaign linked to large-scale data theft operations. The latest post follows earlier breach claims and appears to represent a shift from listing victims to actively publishing datasets.
Multiple organizations added to expanding victim list
According to the group’s latest update, the affected organizations include Mytheresa, Zara, 7-Eleven, Carnival Corporation & plc, Pitney Bowes, and The Canada Life Assurance Company. Each listing is accompanied by claims that negotiations failed, prompting the release of allegedly stolen data.
The datasets are described as containing a mix of personally identifiable information, transactional records, and internal corporate data. In several cases, ShinyHunters specifically referenced Salesforce-related records, continuing a pattern observed across earlier campaigns tied to misconfigured cloud environments.
Carnival claim escalates from breach allegation to alleged data leak
The update builds on prior claims involving Carnival Corporation, where the group previously alleged the theft of millions of records. ShinyHunters now claims that data has been released after negotiations broke down. BreachNews previously reported on the initial Carnival breach claim involving approximately 8.7 million records, which had not been independently verified at the time of publication.
Carnival Corporation had not issued any public statement at time of publication regarding either the original claim or the alleged data release.
Salesforce data exposure pattern continues across new listings
Several of the newly listed organizations are associated with claims of compromised Salesforce environments. The actor alleges access to large volumes of records, including more than 25 million entries in one case and over 600,000 records in another. These datasets are described as containing customer information alongside internal business data.
The repeated reference to Salesforce aligns with a broader campaign that has been active since late 2025, in which threat actors have targeted misconfigured cloud environments to extract data at scale. Previous incidents attributed to ShinyHunters have similarly involved Salesforce datasets, often tied to guest access misconfigurations or exposed data interfaces.
In the case of Zara, the group attributed access to a third-party platform, though no technical evidence has been provided to support the claim or clarify the role of external systems in the alleged breach.
Extortion messaging follows established ShinyHunters pattern
The language used in the latest post closely mirrors prior extortion campaigns, with the group claiming that organizations were given multiple opportunities to negotiate before data was released. Similar messaging has been observed in earlier victim listings, where deadlines were set and followed by partial or full data publication.
A previous wave of listings covered by BreachNews included Amtrak, McGraw Hill, and Kemper Corporation, several of which were later followed by alleged data releases after deadlines passed. In at least some cases, datasets were published despite ongoing investigations or disputes over the scope of the breach.
Campaign scale and attribution remain difficult to verify
ShinyHunters has claimed responsibility for breaching hundreds of organizations as part of its broader campaign, though the accuracy of those figures remains unclear. The group has previously linked its activity to cloud misconfigurations rather than traditional intrusion techniques, focusing on accessible data rather than system compromise.
At this stage, none of the newly listed organizations have publicly confirmed the alleged breaches or data releases. As with earlier claims, verification remains limited to threat actor statements, and it is not yet known whether the datasets described are authentic, complete, or previously undisclosed.
Ongoing investigation and potential downstream risk
If the claims are accurate, the exposure of large volumes of customer and corporate data could introduce long-term risks, including targeted phishing campaigns, identity fraud, and follow-on attacks against affected organizations. Data tied to CRM systems is often structured and detailed, increasing its value in social engineering scenarios.
For a broader overview of the group’s activity and history, see the BreachNews profile on ShinyHunters.
Further developments are likely as affected organizations investigate the claims or as additional datasets are analyzed and verified.
