ShinyHunters is a financially motivated cybercrime collective known for large-scale data exfiltration and extortion operations targeting enterprise platforms, particularly cloud-hosted environments. Active since at least 2019, the group has evolved into a high-volume threat actor focused on extracting and monetizing sensitive corporate and customer data through coordinated leak campaigns and ransom demands.
Overview
ShinyHunters operates a public-facing data leak platform where victims are listed alongside datasets, download links, and extortion messages. Their model centers on breaching organizations, exfiltrating data at scale, and pressuring victims to pay under threat of full public disclosure. The group frequently escalates pressure using countdown deadlines, public “final warnings,” and direct messaging aimed at executives and stakeholders.
Recent activity indicates a strong focus on Salesforce environments and internal corporate systems, with multiple incidents involving exposed CRM data, internal documents, and authentication-related information. The group consistently frames non-payment as negligence, often accusing organizations of disregarding customer privacy.
Current Campaign Activity (2026)
ShinyHunters has maintained a sustained and aggressive campaign throughout early 2026, publishing dozens of organizations across industries including financial services, education, telecommunications, retail, and SaaS platforms.
Notable patterns include:
- Large-scale Salesforce data extraction involving customer records, internal communications, and business data
- Repeated targeting of financial advisory firms and enterprise SaaS platforms
- Public release of compressed and uncompressed datasets ranging from gigabytes to hundreds of gigabytes
- Use of public leak listings combined with direct extortion messaging
Latest Incidents (Per ShinyHunters Leak Site)
The following organizations were listed on ShinyHunters’ extortion and data leak platform as of late March 2026. Listings typically include claims of data exfiltration, dataset sizes, and public pressure messaging directed at victims.
- Hallmark Cards, Inc.: 7.9M+ Salesforce records containing PII and internal corporate data
- European Commission (*.europa.eu): 350GB+ of internal data including mail servers, databases, and confidential documents
- Ameriprise Financial, Inc.: 236GB of Salesforce records containing PII and internal corporate data
- Infinite Campus, Inc.: Salesforce data exposure (size not specified)
- Berkadia Commercial Mortgage: 27GB of Salesforce records and internal corporate data
- Aura Group, Inc.: 900k+ records (12GB) including PII and internal data
- CFGI Management: 800k+ records and 40k+ financial documents
- Woflow, Inc.: 326GB dataset impacting company and partners (DoorDash, Deliveroo, etc.)
- Pathstone: 15GB of Salesforce records and internal data
- Odido NL & Ben.nl: 15M+ records including PII, IBANs, passport data, and plaintext credentials (88GB+ uncompressed)
- Beacon Pointe Advisors: 100k+ records including PII and internal data (60GB)
- Mercer Advisors: 5M+ records including 1.3M with PII
- CarGurus, Inc.: 12.4M+ records containing PII (6.1GB)
- Canada Goose: 600k+ records including financial data
- Figure Technology Solutions: 1M+ records containing PII
- Harvard University: 1M+ records including donor data
- University of Pennsylvania: ~1.2M records (despite claims of “fewer than 10”)
- Bumble Inc.: Internal documents from Google Drive and Slack (30GB)
- Match Group (Hinge, OkCupid): 10M+ records and internal documents
- Panera Bread: 14M+ records containing PII
- Edmunds.com: PII data exposure (12GB)
- CarMax, Inc.: 400k+ records containing PII
- Betterment, LLC.: 2M+ records containing PII
- Crunchbase, Inc.: 2M+ records containing PII
- SoundCloud: 30M+ records containing PII
These listings are self-reported by the threat actor and may include exaggeration, partial datasets, or unverified claims. However, they provide insight into current targeting patterns, victim sectors, and operational scale.
Tactics and Behavior
ShinyHunters demonstrates a consistent operational pattern centered on data exfiltration and psychological pressure rather than traditional ransomware encryption. Key behaviors include:
- Data-first extortion: Prioritizing theft and public exposure over system disruption
- Public negotiation tactics: Publishing messages criticizing victims and urging payment
- Mass data packaging: Releasing structured datasets with clear organization for resale or public consumption
- Credential and cloud exploitation: Leveraging access to SaaS platforms, internal tools, and cloud storage systems
The group frequently includes taunting or confrontational messaging within leak posts, framing non-payment as irresponsible behavior by company leadership. Messaging often targets reputational risk and attempts to influence public perception.
BreachForums Position
ShinyHunters has publicly distanced itself from current versions of BreachForums following its seizure by law enforcement in October 2025. The group claims that any active forums operating under the BreachForums name are fraudulent and has threatened to release historical backups—including private messages, IP addresses, and user data—if such platforms continue to operate.
They also claim to possess exploitation capabilities targeting MyBB forum software, suggesting the ability to compromise or monitor similar platforms.
Recent Trends
Activity observed in 2026 reflects a shift toward higher-volume, more automated targeting, particularly against organizations with large customer datasets stored in centralized cloud systems. The scale and frequency of disclosures suggest either expanded operational capacity or increased reliance on repeatable exploitation techniques.
The group’s continued activity across multiple sectors, combined with the size of claimed datasets, indicates ongoing access to enterprise-level environments and persistent effectiveness despite prior law enforcement actions.
Notes
ShinyHunters remains one of the more visible threat actors due to its public leak infrastructure and aggressive communication style. While attribution remains complex, the group’s branding and messaging consistency suggest a coordinated operation rather than isolated actors.
The combination of large-scale data exposure, public pressure tactics, and repeated targeting of cloud-based systems positions ShinyHunters as a significant ongoing threat to organizations relying on centralized data platforms.
