Attribution: Financially motivated cybercriminal group, suspected French-speaking members
Primary Operations: Large-scale database theft, credential harvesting, data extortion, data sales
ShinyHunters is a financially motivated cybercrime collective known for large-scale data exfiltration and extortion operations targeting enterprise platforms, particularly cloud-hosted environments. Active since at least 2020, the group has evolved into a high-volume threat actor focused on extracting and monetizing sensitive corporate and customer data through coordinated leak campaigns, ransom demands, and direct data sales.
The group operates a public-facing leak and extortion model, where organizations are listed alongside breach claims, dataset descriptions, and deadline-driven warnings. Their approach centers on breaching organizations, exfiltrating data at scale, and pressuring victims to pay under threat of public exposure.
Recent activity shows a consistent focus on SaaS platforms, CRM systems, and internal corporate environments. ShinyHunters frequently combines technical compromise with psychological pressure, using public messaging to frame victims as negligent and to accelerate negotiations.
Latest activity tracker
This section is continuously updated as new ShinyHunters activity is reported.
- June 2026: ShinyHunters allegedly publishes datasets linked to American Tower, JCPenney, Madison Square Garden Sports, Ralph Lauren, and Nexstar following failed extortion negotiations
- June 2026: Houston Community College, Glendale Community College, Illinois Central College, and Moody Bible Institute added to the extortion portal
- June 2026: Sysco allegedly breached with 61 million Salesforce records claimed
- June 2026: Kodak and Deep Well Services added to the leak site with June 18 deadlines
- June 2026: Council of Europe, American Tower, JCPenney, Madison Square Garden Sports, Ralph Lauren, and Nexstar threatened with public data release
- June 2026: University of Nottingham added to education-sector victim listings
- June 2026: Researchers link ShinyHunters activity to active exploitation of an Oracle PeopleSoft vulnerability affecting universities
- May 2026: Instructure confirms breach tied to student data exposure and later confirms a ransom payment
- May 2026: GeForce NOW database allegedly offered for sale with millions of records claimed
- May 2026: Addi financial platform breach claim involving 16 million records
- May 2026: Vimeo data compromise claim tied to alleged third-party access
- May 2026: Charter Communications and DentaQuest data allegedly released following failed negotiations
- May 2026: BCD Travel breach claim involving approximately 700,000 Salesforce records
All ShinyHunters coverage
Throughout 2026, ShinyHunters has significantly increased both the volume and visibility of its operations, shifting from isolated breach claims to coordinated multi-company campaigns and rapid follow-through on extortion threats.
The following articles track alleged and confirmed ShinyHunters activity covered by BreachNews:
- Hallmark Cards Salesforce dataset claim (7.9M records)
- Cisco extortion claim involving 3M records
- Rockstar Games breach linked to supply chain compromise
- Carnival Corporation breach claim involving 8.7M records
- Marcus & Millichap Salesforce dataset (30M records)
- ADT breach claim with pay-or-leak deadline (10M records)
- Udemy dataset leak following failed negotiations
- Anthropic Claude Mythos AI data sale claim
- GeForce NOW database breach claim
- Accord Healthcare dataset release (642K records)
- Vercel internal systems breach (2M records claimed)
- Amtrak, McGraw Hill, and Kemper coordinated extortion campaign
- Multi-company campaign including Zara, 7-Eleven, and Pitney Bowes
- Vimeo breach claim tied to Anodot third-party access
- Addi breach claim involving 16M financial records
- Instructure Canvas breach impacting education sector
- Houghton Mifflin Harcourt added to expanding extortion campaign
- Charter Communications, DentaQuest, and Baker Distributing added to extortion listings
- Charter Communications data allegedly released following failed negotiations
- DentaQuest data allegedly released following negotiations collapse
- BCD Travel breach claim involving 700,000 Salesforce records
- University of Nottingham breach affecting multiple campuses
- Oracle PeopleSoft zero-day exploitation linked to ShinyHunters activity
- Council of Europe, American Tower, JCPenney, Madison Square Garden Sports, Ralph Lauren, and Nexstar extortion campaign
- Sysco Salesforce breach claim involving 61 million records
- Kodak and Deep Well Services added to leak site
- Houston Community College, Glendale Community College, Illinois Central College, and Moody Bible Institute listings
- American Tower, JCPenney, Madison Square Garden Sports, Ralph Lauren, and Nexstar allegedly move from extortion phase to public data release
In multiple cases, the group has followed through on threats by publishing data after deadlines passed, reinforcing the credibility of their extortion model.
Tactics and operational patterns
ShinyHunters demonstrates a consistent operational model centered on data exfiltration rather than encryption-based ransomware. Key tactics include:
- Data-first extortion: Prioritizing theft and public exposure over system disruption
- Deadline-driven pressure: Issuing final warning notices with specific leak dates
- Public negotiation tactics: Using public listings to pressure organizations and shape narrative
- Mass data packaging: Structuring datasets for resale or publication
- Cloud and SaaS targeting: Focusing on Salesforce, cloud storage, and internal platforms
Salesforce campaign and enterprise targeting
A major component of ShinyHunters’ recent activity involves large-scale data extraction from Salesforce environments and similar cloud-based platforms. These incidents often involve misconfigured access controls or exposed data pathways, allowing unauthenticated or low-privilege access to sensitive datasets.
The scale of these operations suggests repeatable techniques and potentially automated scanning and extraction workflows targeting misconfigured enterprise systems.
Shift toward data sales and intellectual property
In addition to traditional extortion, ShinyHunters has increasingly moved toward direct data sales, offering datasets, internal systems, and in some cases alleged intellectual property for purchase.
This includes recent listings involving internal corporate data, enterprise system access, and experimental AI-related assets, indicating a broader monetization strategy beyond customer data alone.
Behavior and messaging strategy
The group frequently uses confrontational messaging in its listings, accusing organizations of failing to protect user data and framing payment as a responsible decision. Public posts often include countdowns, warnings, and reputational pressure tactics designed to force rapid engagement.
Unlike quieter threat actors, ShinyHunters relies heavily on visibility and narrative control as part of its operational model.
Recent trends
Activity in 2026 reflects increased automation, higher targeting volume, and more aggressive follow-through on extortion threats. The group’s ability to consistently target enterprise environments suggests ongoing access to vulnerable systems or effective exploitation of common misconfigurations.
The shift toward combining breach claims, public pressure, and data sales positions ShinyHunters as one of the most active and visible financially motivated threat actors currently operating.
Notes
All breach claims attributed to ShinyHunters should be treated as unverified unless confirmed by affected organizations or independently validated. However, the group’s history of publishing data following failed negotiations indicates that many claims warrant serious attention.
Update (June 17, 2026): Added coverage involving the alleged publication of datasets tied to American Tower, JCPenney, Madison Square Garden Sports, Ralph Lauren, and Nexstar. Also added the latest education-sector victim listings, Sysco, Kodak, Deep Well Services, and related campaign activity.












