ShinyHunters

ShinyHunters is a notorious black-hat criminal hacker and extortion group that is believed to have formed in 2019, and is said to have been involved in a massively significant amount of data breaches. The group often extorts the company they've hacked, if the company does not pay the ransom the stolen information is sold or often leaked on the dark web. ^{[1] [2]} They use very aggressive tactics in order to get victims to comply with their demands.

Name and alias

The name of the group is believed to be derived from Shiny Pokémon, an aspect of the Pokémon video game franchise where Pokémon have a rare chance of being encountered in an alternate, "shiny" color scheme; players who actively try to collect such Pokémon through in-game strategies are often referred to as "shiny hunters". ^{[3] [4]}

Notable data breaches

• Mathway: In January 2020, ShinyHunters breached Mathway, stealing roughly 25 million users' data. Mathway is a popular math app for students that helps solve algebraic equations. ^[5]
• Tokopedia: On 2 May 2020 Tokopedia was breached by ShinyHunters, which claimed to have data for 91 million user accounts, revealing users' gender, location, username, full name, email address, phone number, and hashed passwords. ^[1]
• Wishbone: Also in May 2020, ShinyHunters leaked the full user database of Wishbone, which is said to contain personal information such as usernames, emails, phone numbers, city/state/country of residence, and hashed passwords. ^[6]
• Microsoft: In May 2020, ShinyHunters also claimed to have stolen over 500 GB of Microsoft source code from the company's private GitHub account. The group published around 1GB of data from the hacked GitHub account to a hacking forum. Some cybersecurity experts doubted the claims until analyzing the code; upon analysis, ShinyHunters' claims were no longer in question. Microsoft told Wired in a statement that they are aware of the breach. Microsoft later secured their GitHub account, which was confirmed by ShinyHunters as they reported being unable to access any repositories. ^{[7] [8] [9]}
• Wattpad: In July 2020, ShinyHunters gained access to the Wattpad database containing 270 million user records. Information leaked included usernames, real names, hashed passwords, email addresses, geographic location, gender, and date of birth. ^{[10] [11] [12]}
• Pluto TV: In November 2020, it was reported that ShinyHunters gained access to the personal data of 3.2 million Pluto TV users. The hacked data included users' display names, email addresses, IP addresses, hashed passwords and dates of birth. ^{[13] [14]}
• Animal Jam: It was also reported in November 2020 that ShinyHunters was behind the hack of Animal Jam, leading to the exposure of 46 million accounts. ^{[15] [16]}
• Mashable: In November 2020, ShinyHunters leaked 5.22GB worth of the Mashable database on a prominent hacker forum. ^[17]
• Pixlr: In January 2021, ShinyHunters leaked 1.9 million user records from Pixlr. ^[18]
• Nitro PDF: In January 2021, a hacker claiming to be a part of ShinyHunters leaked the full database of Nitro PDF — which contains 77 million user records — on a hacker forum for free. ^[19]
• Bonobos: In January 2021 it was reported that ShinyHunters leaked the full Bonobos backup cloud database to a hacker forum. The database is said to contain the address, phone numbers, and order details for 7 million customers; general account information for another 1.8 million registered customers; and 3.5 million partial credit card records and hashed passwords. ^[20]
• AT&T Wireless: In 2021, ShinyHunters began selling information on 70 million AT&T wireless subscribers, which contained users' phone numbers, personal information and social security numbers. AT&T acknowledged the data breach in 2024. ^{[21] [22] [23]}
• Aditya Birla Fashion and Retail: In December 2021, Indian retailer Aditya Birla Fashion and Retail was breached and ransomed. The ransom demand was allegedly rejected and data containing 5.4 million unique email addresses were subsequently dumped publicly on a popular hacking forum the next month. The data contained extensive personal customer information including names, phone numbers, physical addresses, birth dates, order histories and passwords stored as MD5 hashes ^[24]
• AT&T Wireless (2): In April 2024, the ShinyHunters cyber criminal group hacked AT&T Wireless and stole data on over 110 million customers. In May, AT&T paid a $370,000 ransom to one of the group's members to delete the data. ^[25]
• Santander: On May 30, 2024, Santander was breached by ShinyHunters, which resulted in all Santander staff and '30 million' customers in Spain, Chile and Uruguay compromised. ^[26]
• Ticketmaster: The ShinyHunters cybercriminal group have claimed responsibility for breaching Ticketmaster via the Snowflake campaign. ^[27]
• PowerSchool: In December 2024, education-software vendor PowerSchool was breached; the attacker demanded $2.85 million and the company paid a ransom to prevent release of stolen student/teacher data. ^{[28] [29]} In early May 2025, new extortion emails began hitting individual school districts that were customers of PowerSchool, with outlets reporting attempts to leverage the stolen data from an earlier PowerSchool breach (Sep 2024) identified by CrowdStrike. One message shared with DataBreaches.net opened, "Hello, we are ShinyHunters," demanding payment from North Carolina authorities, though the publication cautioned it could not authenticate the sender's identity. BleepingComputer likewise reported that someone claiming to be ShinyHunters was re-extorting districts, while a person identifying as the group's leader told the outlet the culprit was an affiliate impersonating them. ^[30]
• Legal Aid Agency (U.K. Ministry of Justice): The Ministry of Justice disclosed on 22 May 2025 (updated 4 September 2025) that the Legal Aid Agency (LAA) suffered a cyber incident affecting applicants who used its digital service from 2007 until systems were taken offline on 16 May 2025; the MoJ has not named a culprit and says investigations are ongoing. ^[31] In August 2025, multiple outlets reported that a group using the ShinyHunters name posted on Telegram (Scattered LAPSUS$ Hunters ^{[32] [33]} ) claiming responsibility and threatening to leak LAA data unless a member was freed; The Times and TheLaw Society Gazette covered the claim while noting authorities had not verified the posts and that the deadline passed without a leak. ^{[34] [35] [36] [37]}
• LVMH (Louis Vuitton, Dior, Tiffany & Co.): In mid-2025, luxury conglomerate LVMH confirmed that several of its brands – including Louis Vuitton, Dior, and Tiffany & Co. – experienced unauthorized access to a customer information database managed by a third-party platform. ^[38] While each subsidiary disclosed limited details (Tiffany & Co.'s Korean unit noted a "vendor platform" was breached), investigators later tied these incidents to the ShinyHunters Salesforce data-theft campaign. ^[38] The threat actors privately extorted the firms via email (using the ShinyHunters name) and were ultimately identified as part of the UNC6040/UNC6240 clusters described by Google. ^[39]
• Google: On June 4, 2025, Google Threat Intelligence Group (GTIG) reported on UNC6040, a cluster of voice-phishing campaigns targeting organizations' Salesforce instances. The attackers used modified versions of Data Loader to export Salesforce data and subsequently extort the victims. GTIG attributed the activity to ShinyHunters. ^[39] According to DataBreaches.net, ShinyHunters have merged with Scattered Spider. ^[40] On August 5, 2025, Google confirmed that a corporate Salesforce instance of Google's containing contact information and notes for small and medium-sized businesses had been compromised by UNC6040/ShinyHunters activity. ^[41]
• Qantas: In July 2025, Australian airline Qantas suffered a cyberattack that exposed data of approximately 5.7 million customers. ^[42] Initially attributed to Scattered Spider by multiple professional security researchers and journalists. ^[43] Later confirmed to be the work of the ShinyHunters cybercriminal group. ^[38] According to DataBreaches.net and many others journalists/security researchers, ShinyHunters have merged with Scattered Spider. ^[40]
• Jaguar Land Rover: On September 2, 2025, Jaguar Land Rover (JLR) disclosed a cyber incident and proactively shut down systems, causing severe disruption to production and retail operations. In the days that followed, outlets reported that a ShinyHunters/Scattered Spider–aligned collective claimed responsibility; JLR said there was no evidence of customer data theft at that time and notified the UK ICO. ^{[44] [45] [46] [47]}
• Kering: In September 2025, ShinyHunters was linked to a major data breach affected Kering, the French luxury goods group that owns brands such as Gucci, Balenciaga, and Alexander McQueen. ShinyHunters claimed to have stolen personal data from Balenciaga, Gucci, Brioni, and Alexander McQueen. The group claimed they compromised 43,483,137 million records exclusively from Gucci and approximately 7.4 million unique customer records across Balenciaga, Brioni, and Alexander McQueen. The data included not limited to, names, email addresses, phone numbers, physical addresses, and total spend amounts from luxury store purchases. ^[48] Kering confirmed the incident, stating that an unauthorized third party accessed limited customer information and that no financial data (such as credit card or bank info) was compromised. ShinyHunters reportedly attempted to extort the company flowing the breach, which was identified in June 2025 and publicly disclosed months later. ^{[49] [50]}
• Pornhub: In December 2025, ShinyHunters claimed responsibility for the Pornhub breach affected by the Mixpanel campaign. ShinyHunters claimed 94 GB of historical analytics data containing over 200 million records of Pornhub users email addresses, search history, watch/download activity, location data, and video metadata. ShinyHunters attempted to extort the company with threats of public release. Pornhub stated the incident stemmed from a third-party analytics service Mixpanel and that no passwords or financial information were compromised. ^{[51] [52]}
• Soundcloud: In December 2025, ShinyHunters was linked to a SoundCloud breach that exposed personal information tied to roughly 29.8 million user accounts (about 20% of platforms user base), including email addresses, usernames, avatars, follower count and locations. ShinyHunters allegedly accessed data via an ancillary service dashboard, and following attempted extortion the compromised records were reportedly published, underscoring the group's continued focus on large-scale data theft and ransom-or-release tactics. ^{[53] [54]}

Snowflake data hacks

In 2024, The ShinyHunters cybercriminal group claimed to have hacked Snowflake-related customers including Ticketmaster, Santander Bank, Neiman Marcus, and many others. ^[55] The group was also responsible for publishing data stolen from Twilio and Truist Bank. ^[56]

Salesforce data hacks

In June 4, 2025, ShinyHunters was tied to a widespread data-theft campaign targeting Salesforce cloud customers, which Google’s Threat Intelligence team tracked as UNC6040. ^[39] The cybercriminal group working in conjunction with Scattered Spider ^[40] (now believed to be the same group) and Lapsus$ (also now believed to be the same group or apart of) impersonated IT support staff and used voice phishing (vishing) calls to trick employees into installing a malicious version of Salesforce's Data Loader tool, allowing them to access and extract sensitive customer data by abusing OAuth to bypass traditional authentication methods. ^[57] Following the successful intrusions, Google's Threat Intelligence team notes the victims of these intrusions receive an extortion or ransom email from the ShinyHunters cybercriminal group, which is also tracked as UNC6240. ^[39]

This sophisticated social engineering approach led to confirmed data breaches at major companies including Google, Cisco, Adidas, Qantas, Allianz Life, Farmers Insurance Group, Workday, Pandora, Chanel, TransUnion, LVMH subsidiaries, including but not limited to Dior, Louis Vuitton, and Tiffany & Co. ^[38] It is believed that a lot more victims have been impacted from this campaign, public disclosures are still impending.

Shortly after, in August 28, 2025, another campaign tracked by Google Threat Intelligence (formerly Mandiant) as UNC6395 used OAuth/refresh tokens stolen from Salesloft's Drift integration to access numerous Salesforce customer orgs between August 8–18, 2025, systematically exporting CRM data and hunting for credentials (e.g., AWS access keys, passwords, Snowflake tokens). ^[58] Google told reporters it was aware of over 700 potentially impacted organizations. Public disclosures tied to this campaign include Cloudflare, Workiva, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Rubrik, Cato Networks, and Palo Alto Networks, each confirming unauthorized access to data in their Salesforce environments following the Salesloft/Drift compromise. ^[59] The ShinyHunters cybercriminal group claimed responsibility to the press.

On September 17, 2025, BleepingComputer was able to confirm ShinyHunters was behind the UNC6395 campaign, the biggest SaaS compromise in history. ^[60] ShinyHunters told BleepingComputer that the threat actors used the TruffleHog security tool to scan the source code for secrets, which resulted in the finding of OAuth tokens for the Salesloft Drift and the Drift Email platforms. Using these stolen Drift OAuth tokens, ShinyHunters told BleepingComputer that the threat actors stole approximately 1.5 billion data records for 760 companies from the "Account", "Contact", "Case", "Opportunity", and "User" Salesforce object tables.

Mixpanel data hacks

In November 2025, the ShinyHunters cybercriminal group was linked to a third-party analytics breach at Mixpanel that affected multiple high-profile companies. Most notably, Pornhub and OpenAI.

Threat actors exploited a smishing-based compromise of Mixpanel systems, resulting in the export of analytics-related datasets belonging to several customers. ShinyHunters subsequently leveraged this access to extort organizations, claiming to possess analytics records tied to platforms such as Pornhub's Premium service and, indirectly, data associated with OpenAI's API user interactions. ^{[61] [62]}

Both OpenAI and Pornhub confirmed that this breach was not a result of their own systems compromised but rather the third-party analytics breach at Mixpanel. Since then OpenAI does not use the analytics provider anymore.

Okta/SSO data hacks

In January 2026, ShinyHunters was linked by multiple media and threat-intelligence firms to a series of social-engineering campaigns targeted enterprise single sign-on (SSO) environments, including Okta. The attacks relied on voice-phishing ("vishing") and credential-harvesting infrastructure rather than exploitation of vulnerabilities in Okta's software, according to Okta and multiple security researchers.

According to a report by BleepingComputer, the ShinyHunters group claimed responsibility for a wave of voice-phishing ("vishing") campaigns that tricked employees into divulging their SSO credentials and multi-factor authentication codes. These credentials were subsequently used to access enterprise SSO dashboards and harvest data from connected software-as-a-service (SaaS) platforms for extortion purposes. ^[63]

Okta itself publicly warned of active attacks in which threat actors used custom phishing kits and voice-based social engineering to steal SSO credentials, including Okta logins, and abuse those credentials to access cloud applications and exfiltrate data. Okta noted that these attacks did not exploit inherent vulnerabilities in its products, but instead leveraged sophisticated phishing techniques against individual users. ^[64]

Threat-intelligence analysis published by Google Cloud’s Threat Intelligence Group (formerly Mandiant) described how activity consistent with prior ShinyHunters-branded operations involved targeted voice-phishing and credential harvesting sites aimed at capturing SSO logins and MFA tokens. Once obtained, attackers could use the compromised SSO access to move laterally into applications such as Salesforce, Microsoft 365, and other enterprise services and then exfiltrate sensitive data. The analysis noted that some of the campaigns overlapped with ShinyHunters-branded activity tracked under multiple threat clusters. ^{[65] [66]}

This ongoing, highly active data theft campaign, as described by Charles Carmakal, CTO of Mandiant at Google Cloud, employs a very sophisticated social engineering approach that has led to data breaches at major companies including but not limited to Grubhub, Crunchbase, Betterment, Panera Bread, Match Group, Tinder, Hinge, OkCupid, and Bumble Inc. It is believed that a lot more victims have been impacted from this campaign, public disclosures are still impending.

According to a report by Silent Push, previously founded by FireEye, former owners of Mandiant, the ShinyHunters group and their broader collective "Scattered LAPSUS$ Hunters" ("SLH" / "SLSH") are actively targeting over 100 high-profile organizations in this campaign. ^[67]

Other data breaches

The following are other hacks that have been credited to or allegedly done by ShinyHunters. The estimated impacts of user records affected are also given, if possible. ^{[68] [69] [70]}

• JusPay - 100 million user records ^[71]
• Zoosk - 30 million user records ^[72]
• Chatbooks - 15 million user records ^[72]
• SocialShare - 6 million user records ^[72]
• Home Chef - 8 million user records ^[72]
• Minted - 5 million user records ^[72]
• Chronicle of Higher Education - 3 million user records ^[72]
• GuMim - 2 million user records ^[72]
• Mindful - 2 million user records ^[72]
• Bhinneka - 1.2 million user records ^[72]
• StarTribune - 1 million user records ^[72]
• Dave.com - 7.5 million users ^[73]
• Drizly.com - 2.4 million user records ^[74]
• Havenly - 1.3 million user records ^[74]
• Hurb.com - 20 million user records ^[75]
• Indabamusic - 475,000 user records ^[75]
• Ivoy.mx - 127,000 user records ^[75]
• Mathway - 25.8 million user records ^[75]
• Proctoru - 444,000 user records ^[74]
• Promo.com - 22 million user records ^[76]
• Rewards1 - 3 million user records ^[75]
• Scentbird - 5.8 million user records ^[74]
• Swvl - 4 million user records ^[75]
• Glofox - Unknown ^[77]
• Truefire - 602,000 user records ^[74]
• Vakinha - 4.8 million user records ^[74]
• Appen.com - 5.8 million user records ^[74]
• Styleshare - 6 million user records ^[75]
• Bhinneka - 1.2 million user records ^[75]
• Unacademy - 22 million user records ^{[78] [79]}
• Upstox - 111,000 user records ^[80]
• Aditya Birla Fashion and Retail - 5.4 million user records ^[75]
• Tokopedia - 91 million user records ^[81]
• Wishbone - 40 million user records ^[82]
• Wattpad - 270 million user records ^[83]
• Pluto TV - 3.2 million user records ^[84]
• Nitro PDF - 77 million user records ^[85]
• Bonobos (apparel) - 7 million user records ^[86]
• BigBasket - 20 million user records ^[87]
• AT&T - 71 million user records ^[88]
• Ticketmaster - 560 million user records ^[89]
• Santander - 30 million customer records ^[90]
• Twilio - 33.4 million user records ^[91]
• Neiman Marcus - 31 million user records ^[92]
• PowerSchool - 62 million user records ^[93]
• Legal Aid Agency - 2.1 million user records ^[94]
• Qantas - 5.7 million user records ^[95]
• Google AdSense - 2.55 million user records ^[96]
• Allianz Life - 1.1 million user records ^[97]
• Farmers Insurance Group - 1.1 million user records ^[98]
• TransUnion - 13 million user records ^[99]
• Kering - 56.4 million user records ^[100]
• Pornhub - 200 million records ^[101]
• SoundCloud - 29.8 million user records ^[102]

Lawsuits

ShinyHunters group is under investigation by the FBI, the Indonesian police, and the Indian police for the Tokopedia breach. Tokopedia's CEO and founder also confirmed this claim via a statement on Twitter. ^{[103] [104]}

Minted company reported the group's hack to US federal law enforcement authorities; the investigation is underway. ^[105]

Administrative documents from California reveal how ShinyHunters' hack has led to Mammoth Media, the creator of the app Wishbone, getting hit with a class-action lawsuit. ^[106]

Animal Jam stated that they are preparing to report ShinyHunters to the FBI Cyber Task Force and notify all affected emails. They have also created a 'Data Breach Alert' on their site to answer questions related to the breach. ^[107]

BigBasket filed a First Information Report (FIR) on November 6, 2020, to the Bengaluru Police to investigate the incident. ^[108]

Dave also initiated an investigation against the group for the company's security breach. The investigation is ongoing and the company is coordinating with local law enforcement and the FBI. ^[109]

Wattpad stated that they reported the incident to law enforcement and engaged third-party security experts to assist them in an investigation. ^[110]

Following the ransomware attack on Jaguar and Land Rover, which M&S hackers claimed responsibility for as first reported by the Telegraph, ^[44] also linked to the groups Scattered Spider and ShinyHunters, the National Cyber Security Centre, part of GCHQ, is understood to be monitoring the situation.

Arrests

In May 2022, Sébastien Raoult, a French programmer suspected of belonging to the group, was arrested in Morocco and extradited to the United States. He faced 20 to 116 years in prison. ^{[111] [112]}

In January 2024 Raoult was sentenced to three years in prison and ordered to return five million dollars. ^[113] Twelve months of the sentence are for conspiracy to commit wire fraud and the remainder for aggravated identity theft. ^[113] He will face 36 months of supervised release afterwards. ^[113] Raoult had worked for the group for more than two years according to the US Attorney's Office for the Western District of Washington, but was not a major player within the group. ^[113]

In May–June 2025, U.S. prosecutors in the District of Massachusetts charged Matthew D. Lane, a 19-year-old Massachusetts student, with hacking and extorting an education-technology provider widely reported to be PowerSchool; prosecutors said Lane used stolen contractor credentials to access the company's network in 2024, exfiltrate data on tens of millions of students and teachers, and demand a $2.85 million bitcoin ransom. Lane agreed to plead guilty on May 20, 2025, and entered a guilty plea on June 6, 2025. ^{[114] [115]} Although some re-extortion emails sent to North Carolina school authorities in early May 2025 opened with "Hello, we are ShinyHunters". ^[116]

On June 25, 2025, French authorities announced that four members of the ShinyHunters cyber criminal group were arrested in multiple French regions for cyber crime activities. The coordinated global law enforcement effort targeting the 'ShinyHunters', 'Hollow', 'Noct', and 'Depressed' aliases. ^[117]

It is believed that the French have arrested an affiliate of the ShinyHunters cyber criminal group and not the ring leader, as they are still wreaking havoc in the cybersecurity world. ^{[118] [38]}

References

1. "ShinyHunters Is a Hacking Group on a Data Breach Spree". Wired. ISSN   1059-1028 . Retrieved 2021-01-25.
2. Cimpanu, Catalin. "A hacker group is selling more than 100 billion user records on the dark web". ZDNet. Retrieved 2021-01-25.
3. King, Ashley (2024-06-19). "More Details Emerge on Ticketmaster Breach Affecting 500M+". Digital Music News. Retrieved 2025-01-19.
4. Frank, Allegra (2016-12-02). "Why Pokémon players spend hours and hours chasing shiny monsters". Polygon . Archived from the original on 2024-04-17. Retrieved 2024-12-23.
5. Cimpanu, Catalin (2020-05-22). "25 million user records leak online from popular math app Mathway". ZDNET . Retrieved 2025-04-18.
6. Cimpanu, Catalin. "Hacker leaks 40 million user records from popular Wishbone app". ZDNet. Retrieved 2021-01-25.
7. "Microsoft's GitHub account breached by threat actors Shiny Hunters". TechGenix. May 21, 2020.
8. "'Shiny Hunters' bursts onto dark web scene following spate of breaches". SC Media. May 8, 2020.
9. "Microsoft's GitHub account hacked, private repositories stolen". BleepingComputer.
10. Deschamps, Tara (2020-07-21). "Wattpad storytelling platform says hackers had access to user email addresses". CTVNews. Retrieved 2021-01-25.
11. "Wattpad warns of data breach that stole user info | CBC News". CBC. Retrieved 2021-01-25.
12. "Wattpad data breach exposes account info for millions of users". BleepingComputer. Retrieved 2021-01-25.
13. "ShinyHunters hacked Pluto TV service, 3.2M accounts exposed". Security Affairs. 2020-11-15. Retrieved 2021-01-25.
14. "3 Million Pluto TV Users' Data Was Hacked, But the Company Isn't Telling Them". Vice.com. 4 December 2020. Retrieved 2021-01-25.
15. Whittaker, Zack (16 November 2020). "Animal Jam was hacked, and data stolen; here's what parents need to know". TechCrunch. Retrieved 2021-01-25.
16. Abrams, Lawrence (2020-11-11). "Animal Jam kids' virtual world hit by data breach, impacts 46M accounts". BleepingComputer. Retrieved 2021-01-25.
17. "ShinyHunters hacker leaks 5.22GB worth of Mashable.com database". 5 November 2020. Retrieved 27 May 2023.
18. "Hacker leaks 1.9 million user records of photo editing app Pixlr". The Tribune . 2021-01-21. Retrieved 2021-01-25.
19. "Hacker leaks full database of 77 million Nitro PDF user records". BleepingComputer. Retrieved 2021-01-25.
20. "Bonobos clothing store suffers a data breach, hacker leaks 70GB database". BleepingComputer. Retrieved 2021-01-25.
21. "A Notorious Hacker Gang Claims to Be Selling Data on 70 Million AT&T Subscribers". GIzmodo. 21 August 2021. Retrieved 26 August 2023.
22. "AT&T finally acknowledged the data breach". Bleeping Computer. Retrieved 26 August 2023.
23. "AT&T acknowledges data breach affecting 51 million people - Panda Security". 12 April 2024.
24. "Bonobos clothing store suffers a data breach, hacker leaks 70GB database". RestorePrivacy. 11 January 2022. Retrieved 2022-01-11.
25. Zetter, Kim. "AT&T Paid a Hacker $370,000 to Delete Stolen Phone Records". Wired. ISSN   1059-1028 . Retrieved 2024-08-04.
26. "All Santander staff and millions of customers have data hacked". bbc.com. 2 June 2024. Retrieved 2024-07-22.
27. Zetter, Kim. "Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake". Wired. ISSN   1059-1028 . Retrieved 2024-07-22.
28. Rundle, James (2025-05-07). "PowerSchool Paid Ransom to Hackers After Breach". Wall Street Journal. ISSN   0099-9660 . Retrieved 2025-09-08.
29. Coker, James (2025-05-09). "PowerSchool Admits Ransom Payment Amid Fresh Extortion Demands". Infosecurity Magazine. Retrieved 2025-09-08.
30. Gatlan, Sergiu. "Texas sues PowerSchool over breach exposing 62M students, 880k Texans". BleepingComputer. Retrieved 2025-09-08.
31. "Legal Aid Agency cyber security incident: frequently asked questions". GOV.UK. 2025-09-04. Retrieved 2025-09-08.
32. "FalconFeeds.io Blog | Latest Cyber Threat Intelligence & Security Insights". falconfeeds.io. Retrieved 2025-09-08.
33. Croft, Daniel (2025-08-13). "ShinyHunters forms hacking supergroup with Scattered Spider, teases major leaks". cyberdaily.au. Retrieved 2025-09-08.
34. Moloney, Charlie. "'Hackers' threaten to publish Legal Aid Agency records". Law Gazette. Retrieved 2025-09-08.
35. Sellman, Mark (2025-08-11). "Hackers threaten to publish legal aid files unless member is freed". thetimes.com. Retrieved 2025-09-08.
36. "Access Restricted". telegraph.co.uk. Retrieved 2025-09-08.
37. "Scattered Spider has a new Telegram channel to list its attacks". DataBreaches.Net. 2025-08-09. Retrieved 2025-09-08.
38. Abrams, Lawrence. "ShinyHunters behind Salesforce data theft attacks at Qantas, Allianz Life, and LVMH". BleepingComputer. Retrieved 2025-09-08.
39. "The Cost of a Call: From Voice Phishing to Data Extortion". Google Cloud Blog. Retrieved 2025-09-08.
40. "Are Scattered Spider and ShinyHunters one group or two? And who did France arrest? (1)". DataBreaches.Net. 2025-08-03. Retrieved 2025-09-08.
41. Kovacs, Eduard (2025-08-06). "Google Discloses Data Breach via Salesforce Hack". SecurityWeek. Retrieved 2025-08-10.
42. Abrams, Lawrence. "Qantas confirms data breach impacts 5.7 million customers". BleepingComputer. Retrieved 2025-09-08.
43. Abrams, Lawrence. "Qantas discloses cyberattack amid Scattered Spider aviation breaches". BleepingComputer. Retrieved 2025-09-08.
44. "Access Restricted". telegraph.co.uk. Retrieved 2025-09-08.
45. "M&S hackers claim to be behind Jaguar Land Rover cyber attack". bbc.com. 2025-09-03. Retrieved 2025-09-08.
46. Toulas, Bill. "Jaguar Land Rover says cyberattack 'severely disrupted' production". BleepingComputer. Retrieved 2025-09-08.
47. "Statement on Cyber Incident | JLR Media Newsroom". media.jaguarlandrover.com. Retrieved 2025-09-08.
48. "Exclusive: High-end fashion retailers Gucci, Balenciaga, Brioni, and Alexander McQueen hit by Salesforce attacks". DataBreaches.Net. 2025-09-11. Retrieved 2026-02-01.
49. "Gucci, Balenciaga and Alexander McQueen hacked in cyber-attack". www.bbc.com. 2025-09-15. Retrieved 2026-02-01.
50. "Update: Kering confirms Gucci and other brands hacked; claims no conversations with hackers?". DataBreaches.Net. 2025-09-15. Retrieved 2026-02-01.
51. Abrams, Lawrence. "PornHub extorted after hackers steal Premium member activity data". BleepingComputer. Retrieved 2026-02-01.
52. Vicens, A.J. and Raphael Satter. "Hacking group 'ShinyHunters' threatens to expose premium users of sex site Pornhub". Reuters. Retrieved 2026-02-01.
53. Abrams, Lawrence. "SoundCloud confirms breach after member data stolen, VPN access disrupted". BleepingComputer. Retrieved 2026-02-01.
54. Gatlan, Sergiu. "Have I Been Pwned: SoundCloud data breach impacts 29.8 million accounts". BleepingComputer. Retrieved 2026-02-01.
55. Zetter, Kim (2024-06-17). "Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake". Wired. ISSN   1059-1028 . Retrieved 2025-03-10.
56. "ShinyHunters Leak What They Claim Are 33M Twilio Authy Phone Numbers, Neiman Marcus and Truist Bank Data". DataBreaches.Net. 2024-07-05. Retrieved 2025-09-08.
57. Gatlan, Sergiu. "ShinyHunters launches Salesforce data leak site to extort 39 victims". BleepingComputer. Retrieved 2025-10-30.
58. "Widespread Data Theft Targets Salesforce Instances via Salesloft Drift". Google Cloud Blog. Retrieved 2025-09-08.
59. Gatlan, Sergiu. "SaaS giant Workiva discloses data breach after Salesforce attack". BleepingComputer. Retrieved 2025-09-08.
60. Abrams, Lawrence. "ShinyHunters claims 1.5 billion Salesforce records stolen in Drift hacks". BleepingComputer. Retrieved 2025-09-19.
61. Abrams, Lawrence. "PornHub extorted after hackers steal Premium member activity data". BleepingComputer. Retrieved 2026-02-01.
62. Ilascu, Ionut. "OpenAI discloses API customer data breach via Mixpanel vendor hack". BleepingComputer. Retrieved 2026-02-01.
63. Abrams, Lawrence. "ShinyHunters claim hacks of Okta, Microsoft SSO accounts for data theft". BleepingComputer. Retrieved 2026-02-01.
64. "Phishing kits adapt to the script of callers". www.okta.com. Retrieved 2026-02-01.
65. "Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft". Google Cloud Blog. Retrieved 2026-02-01.
66. Abrams, Lawrence. "Mandiant details how ShinyHunters abuse SSO to steal cloud data". BleepingComputer. Retrieved 2026-02-01.
67. Kelly, Peggy (2026-01-26). "Special Alert: SLSH Malicious "Supergroup" Targeting 100+ Organizations via Live Phishing Panels". Silent Push. Retrieved 2026-02-01.
68. May 2020, Jitendra Soni 11 (11 May 2020). "ShinyHunters leak millions of user details". TechRadar. Retrieved 2021-01-25.
69. July 2020, Nicholas Fearn 29 (29 July 2020). "386 million user records stolen in data breaches — and they're being given away for free". Tom's Guide. Retrieved 2021-01-25.
70. ""Shiny Hunters" Hacker Group Keep 73 Mn User Records on Darknet". CISO MAG | Cyber Security Magazine. 2020-05-11. Retrieved 2021-01-25.
71. "Amazon, Swiggy's payment processor hit by data breach". The Times of India. Retrieved 2021-01-05.
72. Cimpanu, Catalin. "A hacker group is selling more than 73 million user records on the dark web". ZDNet.
73. "ShinyHunters Offers Stolen Data on Dark Web". Dark Reading. 28 July 2020. Retrieved 2021-01-25.
74. "ShinyHunters Offers Stolen Data on Dark Web". Dark Reading. 28 July 2020.
75. "ShinyHunters leaked over 386 million user records from 18 companies". Security Affairs. July 28, 2020.
76. "Promo.com data breach impacts 23 million content creators". The Daily Swig | Cybersecurity news and views. July 28, 2020.
77. Taylor, Charlie. "Irish start-up Glofox investigates possible data breach". The Irish Times. Retrieved 2021-01-25.
78. Defense, Binary. "Shiny Hunters Group Selling Data Stolen From 11 Different Companies" . Retrieved 27 May 2023.
79. "Shiny Hunters hackers try to sell a host of user records from breaches". MalwareTips Community. 8 May 2020.
80. "ShinyHunters dump partial database of broker firm Upstox". hackread.com. 12 April 2021.
81. "Indonesias Tokopedia probes alleged data leak of 91 mln users". reuters.com. 3 May 2020.
82. "Wishbone Breach: 40 million Records Leaked on Dark Web". infosecurity-magazine.com. 22 May 2020.
83. "Wattpad data breach exposes account info for millions of users". 14 July 2020.
84. "Hacker shares 3.2 million Pluto TV accounts for free on forum". 14 Nov 2020.
85. "Hacker leaks full database of 77 million Nitro PDF user records". 20 Jan 2021.
86. "Bonobos clothing store suffers a data breach, hacker leaks 70GB database". 22 Jan 2021.
87. "Hacker leaks 20 million alleged BigBasket user records for free". 25 April 2021.
88. "AT&T says leaked data of 70 million people is not from its systems". 17 Mar 2024.
89. "Data of 560 million Ticketmaster customers for sale after alleged breach". 30 May 2024.
90. "ShinyHunters claims Santander breach, selling data for 30M customers". 31 May 2025.
91. "Twilio Confirms Data Breach After Hackers Leak 33M Authy User Phone Numbers". 4 Jul 2024.
92. "Neiman Marcus data breach: 31 million email addresses found exposed". 8 Jul 2024.
93. "PowerSchool hacker claims they stole data of 62 million students". 22 Jan 2025.
94. "Legal Aid Agency data breach bigger than originally thought: affects data as far back as 2007". 21 Aug 2025.
95. "Qantas confirms data breach impacts 5.7 million customers". 9 Jul 2025.
96. "Google confirms data breach exposed potential Google Ads customers' info". 9 Aug 2025.
97. "Massive Allianz Life data breach impacts 1.1 million people". 19 Aug 2025.
98. "Farmers Insurance data breach impacts 1.1M people after Salesforce attack". 25 Aug 2025.
99. "TransUnion suffers data breach impacting over 4.4 million people". 28 Aug 2025.
100. "Exclusive: High-end fashion retailers Gucci, Balenciaga, Brioni, and Alexander McQueen hit by Salesforce attacks". 11 Sep 2025.
101. "PornHub extorted after hackers steal Premium member activity data". 15 Dec 2025.
102. "SoundCloud data breach impacts 29.8 million accounts". 27 Jan 2026.
103. "Who are Shiny Hunters?". AndroidRookies. May 21, 2020.
104. @UnderTheBreach (May 13, 2020). "Twitter post" (Tweet) – via Twitter.^{[ dead link ]}
105. "Minted confirms data breach as Shiny Hunters sell its database". 29 May 2020.
106. "Wishbone App Maker Mammoth Media Hit with Class Action Over Data Breach Affecting 40 Million Users". classaction.org. 4 June 2020.
107. "Animal Jam kids' virtual world hit by data breach, impacts 46M accounts". BleepingComputer.
108. "BigBasket, India's Leading Online Supermarket Shopping, Allegedly Breached. Personal details of over 20 million people sold in darkweb". cybleinc.com. 7 November 2020.
109. "Security incident at Dave". A Banking Blog for Humans. July 25, 2020.
110. "FAQs on the Recent Wattpad Security Incident". Help Center.
111. "Sébastien Raoult, Français incarcéré au Maroc, menacé d'extradition aux Etats-Unis où il risque une lourde peine". lemonde.fr (in French). August 3, 2022.
112. "Cybercriminalité: Détenu aux Etats-Unis, le Français Sébastien Raoult espère toujours un "retour en France"". 31 May 2023.
113. Jones, Connor (2024-01-10). "ShinyHunters chief phisherman gets 3 years, must cough up $5M". The Register . Retrieved 2024-01-12.
114. "District of Massachusetts | Worcester College Student to Plead Guilty to Cyber Extortions | United States Department of Justice". justice.gov. 2025-05-20. Retrieved 2025-09-08.
115. Abrams, Lawrence. "PowerSchool hacker pleads guilty to student data extortion scheme". BleepingComputer. Retrieved 2025-09-08.
116. "PowerSchool paid a hacker's extortion demand, but now school district clients are being extorted anyway (3)". DataBreaches.Net. 2025-05-07. Retrieved 2025-09-08.
117. Franceschi-Bicchierai, Lorenzo (2025-06-26). "US, French authorities confirm arrest of BreachForums hackers". TechCrunch. Retrieved 2025-07-03.
118. "Are Scattered Spider and ShinyHunters one group or two? And who did France arrest? (1)". DataBreaches.Net. 2025-08-03. Retrieved 2025-09-07.