All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
- All About Cookies makes money when you click the links on our site to some of the products and offers that we mention. These partnerships do not influence our opinions or recommendations. Read more about how we make money.
- Partners are not able to review or request changes to our content except for compliance reasons.
- We aim to make sure everything on our site is up-to-date and accurate as of the publishing date, but we cannot guarantee we haven't missed something. It's your responsibility to double-check all information before making any decision. If you spot something that looks wrong, please let us know.
If you just got a data breach notice, there's a good chance ShinyHunters is the reason.
ShinyHunters is a cybercriminal group behind some of the biggest data breaches in recent memory — the kind that swept up Ticketmaster buyers, bank customers, and even students. The group breaks into the companies that store your information, then sells or ransoms what it steals for profit. If you've shopped, banked, or studied online, your data may already be part of one of their hauls.
This guide covers who ShinyHunters is, how the group operates, and exactly what to do if your information is exposed.
How does ShinyHunters hack companies?
Notable ShinyHunters data breaches
What ShinyHunters breaches mean for you
How to protect your data
Bottom line
FAQs
Who is ShinyHunters?
ShinyHunters is a cybercriminal group that specializes in large-scale data breaches and extortion. The “data ransom gang” began to gain attention in 2020 after attempting to sell what they claimed were over 200 million records from at least 13 companies.
In the years since, that tally has grown enormously. Security vendors have tied ShinyHunters to hundreds of breaches, tallying 300 or more by some counts. In 2026 alone, ShinyHunters claimed to have breached more than 100 companies through a single software vulnerability — a pace that has made it one of the most active data-extortion groups online. The group itself claims to have stolen well over a billion records, though its own boasts are worth taking with a grain of salt.
The cybercrime gang's name is a nod to the Pokémon games, where "shiny hunting" means grinding through encounter after encounter in search of a rare, one-of-a-kind creature. ShinyHunters takes the same approach to data: methodically working through target after target until something valuable turns up.
The FBI claims ShinyHunters targets major companies across retail, tech, and finance, often stealing millions of records at once.
ShinyHunters uses a "pay or leak" extortion model. Extortion is a form of coercion where someone is forced to pay or comply under threat of harm.
After they steal company data, ShinyHunters will demand a ransom in exchange for not releasing or selling it on the dark web marketplace. The dark web is an unlisted, hidden part of the internet commonly used for anonymous activity.
French authorities arrested several individuals believed to be linked to the ShinyHunters collective in mid‑2025, as part of a broader crackdown on the BreachForums cybercrime marketplace.
However, the attacks didn't stop. ShinyHunters isn't a single, tidy crew: it operates under a lead persona known as ShinyCorp and overlaps with a wider web of cybercriminals sometimes called The Com — the same loose network linked to groups like Scattered Spider and Lapsus$, which were reported to be joining forces on extortion campaigns in 2025. That structure is exactly why the arrests didn't end the attacks: ShinyHunters behaves more like a resilient brand than one gang you can shut down.
How does ShinyHunters hack companies?
ShinyHunters use multiple techniques to gain access to company systems. Here's a breakdown of what they are linked to:
- Hybrid voice phishing and social engineering: ShinyHunters reportedly call or message employees while posing as IT support or trusted vendors. Then they walk them through a phishing process that tricks them into sharing their login credentials or approving malicious requests. That single move can sidestep multi-factor authentication and open the company's single sign-on (SSO): the master key that unlocks dozens of connected apps. From there, the group moves into cloud tools like Salesforce, where your data is stored.
- OAuth access tokens: The group is described as using OAuth access tokens to move between connected services without needing passwords again. OAuth access tokens are passes that let apps talk to each other.
- Misconfigured cloud platforms: ShinyHunters also looks for misconfigured cloud platforms to exploit. They can extract large volumes of data from exposed environments.
The common thread is that they target a company's systems and vendors. ShinyHunters doesn't target individual data, but rather millions of records at once. For the everyday person, this means your data can end up in a cybercriminal's hands, and there's nothing you can do to stop it.
Notable ShinyHunters data breaches
ShinyHunters is linked to several headline-making breaches that have affected concertgoers, students, and bank customers. Here's a look at a few of their biggest hits:
In 2024, ShinyHunters broke into Snowflake-hosted data. Major companies like Ticketmaster and Santander were affected by this breach. Anyone who bought a concert ticket or opened a bank account suddenly had their data in ShinyHunters' hands.
ShinyHunters has also targeted Salesforce, a popular customer database used by several companies. The group exploited poorly configured Experience Cloud sites to download thousands of records.
In April 2026, ShinyHunters went after the education world. The group breached Instructure's Canvas data, a learning platform used by hundreds of schools. The FBI warned students and families not to pay extortion demands and to stay alert to targeted phishing campaigns.
| ShinyHunters target | Year | What was exposed |
| Ticketmaster | 2024 | Customer details and some payment-related data from a cloud database, affecting a reported 560 million customers. |
| AT&T | 2024 | Call and text records — phone numbers and logs of who customers contacted — for nearly all of AT&T's roughly 110 million customers, stolen from its Snowflake cloud account. |
| Santander | 2024 | Bank customer records, including personal and account information, affecting Santander staff and over 30 million customers. |
| Salesforce customers (various) | 2025-2026 | Business and customer contact info (names, emails, phone numbers) from many companies' Salesforce CRM systems, including contact data tied to Google. |
| ADT | 2026 | Names, phone numbers, and home addresses of about 5.5 million people, plus dates of birth and partial Social Security or Tax IDs for a small share. No payment data or security systems were affected. |
| 7-Eleven | 2026 | Names, dates of birth, emails, phone numbers, and addresses of about 185,300 people; some records also included Social Security and driver's license numbers. |
| Instructure's Canvas | 2026 | Student and staff names, school emails, IDs, and private messages across hundreds of schools. |
What ShinyHunters breaches mean for you
Because ShinyHunters raids corporate databases, the stolen data is usually the everyday details companies keep on you: names, email addresses, and phone numbers. Larger breaches have exposed more sensitive information too, like financial and account records.
Even a leaked email and phone number is enough to fuel convincing phishing and scam attempts, and the worry is real. In our survey, 97% of people said they'd be highly concerned if their Social Security number leaked, and 94% said the same about their banking information.
When ShinyHunters steal data, they look for the best ways to maximize profit. They may sell information in bulk, try to extort companies or individuals, or create a targeted social engineering or phishing campaign.
For the average person, this means your data could get sold to another bad actor who will then try to steal your identity or take over your accounts.
While this is alarming, the constant noise around data breaches leaves people feeling fatigued. 65% of internet users received a breach notice in the previous year. Data breaches happen so often that half of users feel desensitized to the news.
You may feel like there's nothing you can do to protect your data. It's in the control of companies. But you can still take proactive measures to minimize the effects of data breaches.
How to protect your data
If you do get a data breach notice, change the login credentials of the affected account. 24% of internet users we surveyed don't change their account or password, even when they know that their account was breached.
But you don't have to wait until your account is breached to take action. You can also use an identity monitoring service to monitor your financial accounts and search for your personal data on the dark web.
- Use a password manager: A password vault can securely store your login credentials, making it easier to create unique passwords for each account. Password managers also have a tool to help generate complex passwords.
- Use a data removal service: Keep your data off the internet, data broker sites, and people-search sites. Data broker removal will request deletion on your behalf and continuously monitor for new uploads.
- Stay alert to phishing emails or messages: Don't open links or attachments from senders until you confirm their legitimacy. Knowing the signs of a phishing attempt can help protect you.
So how do you know if you're caught up in a ShinyHunters breach? Sometimes the company will send you a notice — but not always, and not right away. A few minutes of action after a breach can save months of identity-theft cleanup. Run a free data breach scan to see whether your email or personal info has surfaced in a known leak. If it has, change those passwords immediately and turn on two-factor authentication.
Bottom line
ShinyHunters is an active cybercriminal group that constantly seeks ways to breach companies and commit large-scale data breaches. While you can't personally stop them, you can control how exposed you are.
If you receive a data breach notice, take immediate action to secure your account or follow the company's instructions.
Using unique passwords for each account can reduce the risk of multiple accounts getting breached. A password manager can keep track of all your passwords and help you generate new ones. You should also use services that bundle identity theft monitoring and data removal to keep your personal information secure.
Learn more about the best identity theft protection services we’ve tested.
FAQs
Is ShinyHunters still active in 2026?
Yes, ShinyHunters is still active in 2026. Multiple investigations and advisories suggest that ShinyHunters is behind recent campaigns like the Canvas education breach and the 7-Eleven breach.
What should I do if my data was leaked by ShinyHunters?
If your data was leaked by ShinyHunters, you should take immediate action to protect your accounts and identity. Start by changing your passwords to the affected accounts and enabling two-factor authentication (2FA). You should also monitor your bank and credit cards for unauthorized activity.
Has anyone from ShinyHunters been arrested?
Yes, people affiliated with ShinyHunters have been arrested. French authorities arrested several people in June 2025 who prosecutors say were linked to BreachForums and ShinyHunters. However, attacks from ShinyHunters continue.
Is ShinyHunters ransomware?
No, ShinyHunters isn't ransomware. ShinyHunters is a cybercriminal group, sometimes referred to as a data ransom gang, that targets large companies to gain access to millions of records. The group focuses on data theft and extortion for profit.