What Is ShinyHunters? The Hacking Group Behind Hundreds of Data Breaches

ShinyHunters is one of the most active data-extortion groups online. Here's who they are, the companies they've hit, and how to keep your own data safe from data ransom gangs.
We receive compensation from the products and services mentioned in this story, but the opinions are the author's own. Compensation may impact where offers appear. We have not included all available products or offers. Learn more about how we make money and our editorial policies.

If you just got a data breach notice, there's a good chance ShinyHunters is the reason.

ShinyHunters is a cybercriminal group behind some of the biggest data breaches in recent memory — the kind that swept up Ticketmaster buyers, bank customers, and even students. The group breaks into the companies that store your information, then sells or ransoms what it steals for profit. If you've shopped, banked, or studied online, your data may already be part of one of their hauls.

This guide covers who ShinyHunters is, how the group operates, and exactly what to do if your information is exposed.

In this article
Who is ShinyHunters?
How does ShinyHunters hack companies?
Notable ShinyHunters data breaches
What ShinyHunters breaches mean for you
How to protect your data
Bottom line
FAQs

Who is ShinyHunters?

ShinyHunters is a cybercriminal group that specializes in large-scale data breaches and extortion. The “data ransom gang” began to gain attention in 2020 after attempting to sell what they claimed were over 200 million records from at least 13 companies.

In the years since, that tally has grown enormously. Security vendors have tied ShinyHunters to hundreds of breaches, tallying 300 or more by some counts. In 2026 alone, ShinyHunters claimed to have breached more than 100 companies through a single software vulnerability — a pace that has made it one of the most active data-extortion groups online. The group itself claims to have stolen well over a billion records, though its own boasts are worth taking with a grain of salt.

The cybercrime gang's name is a nod to the Pokémon games, where "shiny hunting" means grinding through encounter after encounter in search of a rare, one-of-a-kind creature. ShinyHunters takes the same approach to data: methodically working through target after target until something valuable turns up.

The FBI claims ShinyHunters targets major companies across retail, tech, and finance, often stealing millions of records at once.

ShinyHunters uses a "pay or leak" extortion model. Extortion is a form of coercion where someone is forced to pay or comply under threat of harm.

ShinyHunters/Fair Use
ShinyHunters hacking message

After they steal company data, ShinyHunters will demand a ransom in exchange for not releasing or selling it on the dark web marketplace. The dark web is an unlisted, hidden part of the internet commonly used for anonymous activity.

French authorities arrested several individuals believed to be linked to the ShinyHunters collective in mid‑2025, as part of a broader crackdown on the BreachForums cybercrime marketplace.

However, the attacks didn't stop. ShinyHunters isn't a single, tidy crew: it operates under a lead persona known as ShinyCorp and overlaps with a wider web of cybercriminals sometimes called The Com — the same loose network linked to groups like Scattered Spider and Lapsus$, which were reported to be joining forces on extortion campaigns in 2025. That structure is exactly why the arrests didn't end the attacks: ShinyHunters behaves more like a resilient brand than one gang you can shut down.

ShinyHunters doesn't target individuals directly. The hacking group breaches the companies that hold your data. Here's what a data breach actually is and why it matters.

How does ShinyHunters hack companies?

ShinyHunters use multiple techniques to gain access to company systems. Here's a breakdown of what they are linked to:

  • Hybrid voice phishing and social engineering: ShinyHunters reportedly call or message employees while posing as IT support or trusted vendors. Then they walk them through a phishing process that tricks them into sharing their login credentials or approving malicious requests. That single move can sidestep multi-factor authentication and open the company's single sign-on (SSO): the master key that unlocks dozens of connected apps. From there, the group moves into cloud tools like Salesforce, where your data is stored.
  • OAuth access tokens: The group is described as using OAuth access tokens to move between connected services without needing passwords again. OAuth access tokens are passes that let apps talk to each other.
  • Misconfigured cloud platforms: ShinyHunters also looks for misconfigured cloud platforms to exploit. They can extract large volumes of data from exposed environments.

The common thread is that they target a company's systems and vendors. ShinyHunters doesn't target individual data, but rather millions of records at once. For the everyday person, this means your data can end up in a cybercriminal's hands, and there's nothing you can do to stop it.

Notable ShinyHunters data breaches

ShinyHunters is linked to several headline-making breaches that have affected concertgoers, students, and bank customers. Here's a look at a few of their biggest hits:

In 2024, ShinyHunters broke into Snowflake-hosted data. Major companies like Ticketmaster and Santander were affected by this breach. Anyone who bought a concert ticket or opened a bank account suddenly had their data in ShinyHunters' hands.

ShinyHunters has also targeted Salesforce, a popular customer database used by several companies. The group exploited poorly configured Experience Cloud sites to download thousands of records.

In April 2026, ShinyHunters went after the education world. The group breached Instructure's Canvas data, a learning platform used by hundreds of schools. The FBI warned students and families not to pay extortion demands and to stay alert to targeted phishing campaigns.

ShinyHunters target Year What was exposed
Ticketmaster 2024 Customer details and some payment-related data from a cloud database, affecting a reported 560 million customers.
AT&T 2024 Call and text records — phone numbers and logs of who customers contacted — for nearly all of AT&T's roughly 110 million customers, stolen from its Snowflake cloud account.
Santander 2024 Bank customer records, including personal and account information, affecting Santander staff and over 30 million customers.
Salesforce customers (various) 2025-2026 Business and customer contact info (names, emails, phone numbers) from many companies' Salesforce CRM systems, including contact data tied to Google.
ADT 2026 Names, phone numbers, and home addresses of about 5.5 million people, plus dates of birth and partial Social Security or Tax IDs for a small share. No payment data or security systems were affected.
7-Eleven 2026 Names, dates of birth, emails, phone numbers, and addresses of about 185,300 people; some records also included Social Security and driver's license numbers.
Instructure's Canvas 2026 Student and staff names, school emails, IDs, and private messages across hundreds of schools.

What ShinyHunters breaches mean for you

Because ShinyHunters raids corporate databases, the stolen data is usually the everyday details companies keep on you: names, email addresses, and phone numbers. Larger breaches have exposed more sensitive information too, like financial and account records. 

Even a leaked email and phone number is enough to fuel convincing phishing and scam attempts, and the worry is real. In our survey, 97% of people said they'd be highly concerned if their Social Security number leaked, and 94% said the same about their banking information.

When ShinyHunters steal data, they look for the best ways to maximize profit. They may sell information in bulk, try to extort companies or individuals, or create a targeted social engineering or phishing campaign. 

For the average person, this means your data could get sold to another bad actor who will then try to steal your identity or take over your accounts.

While this is alarming, the constant noise around data breaches leaves people feeling fatigued. 65% of internet users received a breach notice in the previous year. Data breaches happen so often that half of users feel desensitized to the news.

How often data breaches happen

You may feel like there's nothing you can do to protect your data. It's in the control of companies. But you can still take proactive measures to minimize the effects of data breaches.

How to protect your data

If you do get a data breach notice, change the login credentials of the affected account. 24% of internet users we surveyed don't change their account or password, even when they know that their account was breached.

Chart showing that there's signs of data breach fatigue

But you don't have to wait until your account is breached to take action. You can also use an identity monitoring service to monitor your financial accounts and search for your personal data on the dark web.

  • Use a password manager: A password vault can securely store your login credentials, making it easier to create unique passwords for each account. Password managers also have a tool to help generate complex passwords.
  • Use a data removal service: Keep your data off the internet, data broker sites, and people-search sites. Data broker removal will request deletion on your behalf and continuously monitor for new uploads.
  • Stay alert to phishing emails or messages: Don't open links or attachments from senders until you confirm their legitimacy. Knowing the signs of a phishing attempt can help protect you.

So how do you know if you're caught up in a ShinyHunters breach? Sometimes the company will send you a notice — but not always, and not right away. A few minutes of action after a breach can save months of identity-theft cleanup. Run a free data breach scan to see whether your email or personal info has surfaced in a known leak. If it has, change those passwords immediately and turn on two-factor authentication.


Bottom line

ShinyHunters is an active cybercriminal group that constantly seeks ways to breach companies and commit large-scale data breaches. While you can't personally stop them, you can control how exposed you are.

If you receive a data breach notice, take immediate action to secure your account or follow the company's instructions.

Using unique passwords for each account can reduce the risk of multiple accounts getting breached. A password manager can keep track of all your passwords and help you generate new ones. You should also use services that bundle identity theft monitoring and data removal to keep your personal information secure.

Learn more about the best identity theft protection services we’ve tested.

4.8
2026 Editors’ Choice
Best Overall Identity Theft Protection Service
Identity Protection
Aura Identity Theft
  • ID theft protection that monitors your SSN, bank accounts, credit cards, and brokerage and retirement accounts for suspicious activity
  • Every plan includes the full feature set, so no additional cost to unlock monitoring, insurance, or restoration
  • Bundles data removal with identity theft protection, antivirus, VPN, and a password manager in one subscription
Learn More

FAQs

Is ShinyHunters still active in 2026?

Yes, ShinyHunters is still active in 2026. Multiple investigations and advisories suggest that ShinyHunters is behind recent campaigns like the Canvas education breach and the 7-Eleven breach.

What should I do if my data was leaked by ShinyHunters?

If your data was leaked by ShinyHunters, you should take immediate action to protect your accounts and identity. Start by changing your passwords to the affected accounts and enabling two-factor authentication (2FA). You should also monitor your bank and credit cards for unauthorized activity.

Has anyone from ShinyHunters been arrested?

Yes, people affiliated with ShinyHunters have been arrested. French authorities arrested several people in June 2025 who prosecutors say were linked to BreachForums and ShinyHunters. However, attacks from ShinyHunters continue.

Is ShinyHunters ransomware?

No, ShinyHunters isn't ransomware. ShinyHunters is a cybercriminal group, sometimes referred to as a data ransom gang, that targets large companies to gain access to millions of records. The group focuses on data theft and extortion for profit.



4.8
Editorial Rating
Get Deal
On Aura Identity Theft's website
2026 Editors’ Choice
Best Overall Identity Theft Protection Service
Identity Protection
Aura Identity Theft
PROMOTION: Save Up to 68%
  • ID theft protection that monitors your SSN, bank accounts, credit cards, and brokerage and retirement accounts for suspicious activity
  • Every plan includes the full feature set, so no additional cost to unlock monitoring, insurance, or restoration
  • Bundles data removal with identity theft protection, antivirus, VPN, and a password manager in one subscription
Author Details
Sara J. Nguyen has spent more than five years covering data privacy, identity theft protection, and online safety. She approaches the beat with a public relations background that gives her a particular eye for the gap between how companies present their products and what those products actually do for users. She has authored more than 140 articles for All About Cookies and has been published in Frontier Communications, Hootsuite, Zapier, and LogRocket.