Three hundred to four hundred companies. Snowflake, Okta, LastPass, AMD, Sony, and Salesforce itself. The group responsible did not plant ransomware, did not encrypt servers, and did not lock anyone out of their own systems. They just walked in through an open door, took everything of value, and sent a bill. That is the ShinyHunters model, and it is the reason security teams from San Francisco to Singapore are having emergency meetings as of March 2026.
This is not a story about a single breach. It is a story about how one financially motivated extortion group evolved from selling stolen databases on dark web forums to systematically compromising the cloud infrastructure that the global enterprise runs on. Understanding ShinyHunters means understanding where corporate cybersecurity is failing, and what needs to change before the next campaign begins.
Who Are ShinyHunters?
ShinyHunters is a black-hat hacking group that first surfaced publicly around 2019 and gained widespread notoriety through 2020 and 2021 with a wave of database thefts targeting consumer platforms. The group operates under a financially motivated model: steal data, offer to sell it on cybercrime forums, and offer the victim a chance to pay before it goes public. They are not ideologically driven, not state-sponsored, and not interested in disruption for its own sake. They want money, and they are exceptionally good at getting it.
The group is associated with cybercrime forums including BreachForums, where stolen datasets have historically been advertised and auctioned. Their presence on Telegram has also been used to distribute sample data and pressure victims. Over time, ShinyHunters developed a reputation for the sheer volume of records stolen, often dealing in hundreds of millions of user credentials, behavioral data, and personally identifiable information across a single campaign.
Motivation and the Pay-or-Leak Model
The business logic behind ShinyHunters is brutally simple. Once they obtain a valuable dataset, they reach out to the victim organization with an extortion demand. If the company pays, the data is theoretically withheld from public release. If the company refuses, the data gets published in stages, often starting with a compelling sample to prove legitimacy and applying escalating pressure until the organization capitulates or accepts the reputational damage.
This model mirrors classic ransomware in psychology but removes the encryption step entirely. There is no technical recovery path, no decryption key to negotiate over. The leverage is purely informational, which makes it harder to remediate and, in some industries, far more damaging. A company can rebuild encrypted servers. It cannot un-leak 200 million user records.
Major ShinyHunters Breaches Since 2020
The group built its name on volume. In 2020, ShinyHunters was linked to breaches at Tokopedia, Indonesia’s largest e-commerce platform, where approximately 91 million account records were put up for sale. Shortly after came Wattpad, the story-sharing platform, with over 270 million user records including emails, hashed passwords, dates of birth, and IP addresses.
Pluto TV, Pixlr, Nitro PDF, and Bonobos followed in rapid succession through 2020 and 2021. The Bonobos breach notably included partial payment card data and shipping addresses for millions of customers. Each incident followed a recognizable pattern: access consumer platform, extract the user database, post it on BreachForums with a sample, collect payment or release.
The group’s early campaigns were notable not just for the data stolen but for the speed at which they cycled through targets. Within eighteen months of first appearing publicly, ShinyHunters had become one of the most prolific data theft operations in the world by sheer record count.
Incident Timeline
The Snowflake Campaign of 2024
The 2024 Snowflake-related breach marked a significant evolution in ShinyHunters’ targeting strategy. Rather than attacking individual consumer platforms one by one, the group pivoted to attacking the cloud data platforms that sit at the center of enterprise data infrastructure. Snowflake is a cloud data warehouse used by thousands of organizations to store and analyze their most sensitive operational data.
The attack vector was not a zero-day vulnerability in Snowflake’s platform itself. It was something far more mundane and far more preventable. Attackers used credentials stolen through infostealer malware to access Snowflake customer instances that lacked multi-factor authentication. Once inside a single account, the exfiltration of structured datasets was straightforward. Several high-profile organizations saw their data appear on dark web forums as a direct result.
This campaign illustrated a principle that ShinyHunters would continue to exploit through 2025 and into 2026: the most valuable data in the modern enterprise lives in shared cloud platforms, and the weakest link is rarely the platform itself. It is the human access controls that organizations configure around it.
The 2025 Mixpanel Breach and the Pornhub Extortion
On November 8, 2025, Mixpanel, a widely used behavioral analytics provider, was compromised through a targeted SMS phishing attack against its employees. The attackers, subsequently confirmed as ShinyHunters, used harvested credentials to move laterally through Mixpanel’s internal environment and access historical customer data repositories.
The breach had downstream victims across the analytics platform’s customer base. OpenAI confirmed its API users were affected. SoundCloud disclosed that roughly 20 percent of its user base, approximately 28 million accounts, had data exposed. The most publicly charged incident involved PornHub, whose Premium member analytics data was among the exfiltrated records.
ShinyHunters claimed to have obtained 94GB of data containing over 200 million records tied to PornHub Premium accounts. The data reportedly included email addresses, video viewing and download activity, search keywords, location data, video metadata, and precise timestamps. PornHub confirmed that passwords, payment information, and financial data were not exposed, and noted the company had not used Mixpanel’s services since 2021, making all affected records historical. Mixpanel for its part stated it did not believe the data originated from its November breach, though the dispute over origin did not alter the extortion campaign or its implications for affected users.
The reason this incident matters beyond the obvious privacy dimension is what it demonstrates about supply chain risk.ShinyHunters did not need to breach PornHub directly. They compromised a third-party vendor that held years of behavioral data from PornHub’s users, and the resulting extortion leverage was arguably more damaging than a direct credential theft would have been. Viewing history and search behavior are exactly the kinds of data that fuel targeted blackmail against individuals, not just corporate negotiations.
The 2026 Salesforce Experience Cloud Campaign
The most recent and arguably most technically sophisticated ShinyHunters operation involves Salesforce’s Experience Cloud platform, a product that allows businesses to build public-facing portals, customer help centers, and partner sites connected directly to their Salesforce CRM data.
ShinyHunters told BleepingComputer and The Register that in September 2025, they began systematically identifying and exploiting Salesforce Experience Cloud instances with misconfigured guest user permissions. The attack does not exploit a bug in Salesforce’s core platform. Instead, it targets a well-known configuration risk that Salesforce has warned customers about for years: Experience Cloud sites that allow guest users to access far more data than intended because administrators did not restrict the guest user profile appropriately.
The technical entry point is the /s/sfsites/aura API endpoint, which publicly accessible Experience Cloud sites expose to unauthenticated users. If the guest user profile on that site has been configured with excessive object and field permissions, an attacker can query Salesforce CRM data directly without logging in. ShinyHunters modified AuraInspector, an open-source auditing tool released by Mandiant in January 2026 specifically to help Salesforce admins find these misconfigurations, and turned it into a mass scanning and exploitation engine.
The group also discovered a way to bypass Salesforce’s 2,000-record query limit through the sortBy parameter in the GraphQL API, dramatically accelerating the pace of data exfiltration. When Salesforce patched that specific bypass over the weekend before issuing its public advisory, ShinyHunters told BleepingComputer they had already found a second method and were continuing to exploit it.
As of March 2026, ShinyHunters claims to have stolen data from between 300 and 400 organizations, including roughly 100 high-profile companies. Those cited include Snowflake, LastPass, Okta, AMD, Sony, and Salesforce itself. The group has issued extortion demands and threatened to leak data publicly if payment is not received. Dutch telecom provider Odido, which refused a reported one million euro ransom, saw millions of customer records dumped publicly as a warning to other victims.
How ShinyHunters Evolves Its Tactics
Initial Access and Weaponized Open Source Tools
What makes the 2026 Salesforce campaign technically instructive is the way ShinyHunters weaponized a legitimate security tool. AuraInspector was built by Mandiant to help defenders. ShinyHunters took the source code, modified it for offensive mass scanning, and turned a tool meant to identify vulnerabilities into the mechanism for exploiting them at scale. This pattern of repurposing legitimate tools is a hallmark of sophisticated threat groups and makes detection significantly harder because the traffic and API calls look like authorized administrative activity.
The group has also demonstrated the ability to exploit misconfigurations across different SaaS platforms systematically. The Snowflake attack in 2024 required stolen credentials. The Salesforce attack in 2026 required no credentials at all where configurations were permissive enough. The common thread is that ShinyHunters actively researches how enterprise platforms handle access control, identifies where customer misconfigurations create exposure, and builds automated pipelines to exploit those gaps at scale.
Social Engineering, Vishing, and AI Pressure Tactics
The group has moved beyond purely technical exploitation in its more recent campaigns. In operations linked to the broader Scattered LAPSUS ShinyHunters (SLSH) cluster, attackers have used AI-assisted voice phishing to impersonate IT support personnel and pressure employees into granting OAuth access or installing remote management tools. These vishing calls can be convincing to a degree that even security-conscious staff find difficult to identify.
ShinyHunters has also been linked to using Salesforce’s own omni-channel calling infrastructure to contact customers of victim organizations directly, compounding the downstream damage of a CRM compromise with active social engineering against the victim company’s customers. When a threat actor can call your customers while impersonating your brand using your own data and your own communication platform, the reputational harm extends far beyond a data disclosure notice.
Multi-Channel Extortion
When negotiation fails, ShinyHunters escalates. The group uses shaming blogs, posts sample data on BreachForums and Telegram, reaches out directly to media outlets with proof of compromise, and in cases involving the SLSH cluster, has been linked to threats of harassment and DDoS attacks against companies that refuse to engage. The goal is to make the cost of non-payment feel greater than the cost of the ransom. For publicly traded companies, the reputational calculus of a data breach going public often makes that calculation brutally clear.
What a ShinyHunters Breach Costs a Company
The financial and operational damage of a ShinyHunters campaign goes well beyond the ransom demand itself. Organizations face forensic investigation costs to establish the scope of what was accessed, legal costs related to regulatory notification requirements under frameworks such as GDPR or state data breach laws, and the operational burden of notifying millions of affected users. In Europe particularly, a failure to notify within mandatory timeframes carries its own regulatory penalties.
Customer trust, once eroded, does not recover quickly. The Odido case is instructive: millions of customer records went public because the company refused to pay. Those customers will associate the company with a data breach for years. For organizations in sectors where trust is foundational, such as financial services, healthcare, or cybersecurity itself, a ShinyHunters breach can cause damage that persists long after the technical incident is closed.
What It Means for Regular Users
For individual users, the risk from a ShinyHunters breach is more immediate and personal than a corporate headline suggests. Exposed email addresses and hashed passwords feed directly into credential stuffing pipelines, where automated tools try leaked credentials against banking, email, and social media accounts. Even hashed passwords become usable if the hashing algorithm was weak or if the password was common enough to appear in lookup tables.
The Mixpanel and Pornhub case takes this to a more uncomfortable place. When behavioral data, viewing history, search terms, and location metadata are exposed, the risk is not just account takeover. It is targeted extortion. People who used an adult platform under the assumption of privacy are now potentially identifiable by name, email, location, and the content they engaged with. ShinyHunters understands this leverage and communicates it directly in their extortion demands.
How Organizations Can Defend Against ShinyHunters-Style Attacks
Technical Controls
The most immediate lesson from the 2026 Salesforce campaign is that public-facing SaaS portals demand the same scrutiny as internal systems. Every Experience Cloud site should be audited against the principle of least privilege.Guest user profiles should have access to exactly the fields and objects required for the site to function and nothing beyond that. The API Enabled permission should be removed from guest user profiles unless there is an explicit technical requirement. Org-wide defaults for all sensitive objects should be set to Private for external users.
The broader principle applies across any cloud or SaaS platform. Snowflake accounts should require MFA without exception. AWS access keys in public repositories are still being exploited years after the industry agreed this was unacceptable. Service accounts should follow least-privilege principles. Every configuration decision that makes a platform slightly more convenient to access also potentially makes it more accessible to someone who should not have access.
Detection and Monitoring
Organizations should be actively monitoring Salesforce Aura Event logs for unusual query volumes, unexpected IP addresses querying CRM objects, spikes in record access outside business hours, and any access to objects that are not ordinarily part of the public Experience Cloud site’s function. Snowflake provides similar query history and access logging. The data to detect these attacks exists; the gap is usually in whether anyone is watching it.
People and Process
No technical control compensates for an employee who is socially engineered into granting access. ShinyHunters and affiliated groups have demonstrated that AI-assisted voice fraud can be compelling enough to fool trained IT staff. Anti-phishing and vishing awareness programs need to specifically address the scenario of an unexpected call from someone claiming to be from IT support, a vendor, or a partner asking for credentials, MFA codes, or remote access.
Incident response planning should explicitly address the extortion scenario. When ShinyHunters makes contact, organizations need a pre-established protocol that involves legal counsel, law enforcement notification, public relations, and forensic investigation, and they need to execute it quickly. Improvising under the pressure of an active extortion threat produces worse outcomes.
For End Users
The most practical steps for individuals are the ones most frequently recommended and least frequently followed. A unique, randomly generated password for every account, stored in a password manager, means that a breach of one platform does not cascade into breaches of others. Enabling MFA on every account that supports it means that a leaked password is not sufficient for account takeover. Monitoring breach notification services such as Have I Been Pwned provides early warning when your credentials appear in a leaked dataset.
After a service you use is reported as a ShinyHunters victim, change your password on that platform immediately even if you have not received a direct notification. Treat any subsequent emails claiming to be from that company with skepticism, since your email address is now confirmed as associated with that account and makes you a target for follow-on phishing.
What ShinyHunters Tells Us About the Future of Cyber Extortion
The trajectory of ShinyHunters as a group mirrors a broader shift in the threat landscape. Traditional ransomware required malware deployment, network access, and a period of dwell time. Pure data extortion requires none of that. If the data is already accessible through a misconfigured API or a stolen credential, the entire attack can execute in hours.
The shift toward SaaS and cloud infrastructure as the attack surface is not a coincidence. It is a rational strategic choice. Enterprise data has consolidated into cloud platforms because cloud platforms are more efficient. That consolidation means a single misconfiguration or a single set of stolen credentials can yield data that would have required compromising dozens of on-premises systems a decade ago. ShinyHunters did not create this risk. They recognized it and built an operation around it.
The merger of ShinyHunters with elements of Scattered Spider and LAPSUS$ into what researchers are tracking as Scattered LAPSUS ShinyHunters (SLSH) suggests these groups are not operating independently in isolation.They are pooling tradecraft, sharing access to compromised infrastructure, and developing new capabilities such as the ShinySpid3r ransomware-as-a-service platform, which would allow affiliated actors to run encryption-based ransomware attacks alongside the existing data extortion model.
Will ShinyHunters Disappear or Rebrand?
Law enforcement actions have disrupted cybercrime groups before, and some ShinyHunters-affiliated individuals have faced legal consequences. But the pattern across financially motivated cybercrime is that prosecution of individual members rarely ends a group’s operational capacity. Members disperse, infrastructure moves, and the operation continues under a new name or within a new organizational structure. The tradecraft, the tooling, and the relationships persist.
What matters more than tracking whether ShinyHunters specifically continues operating is understanding the techniques they represent. Mass scanning of public SaaS endpoints for access control misconfigurations is not going away. Supply chain attacks targeting analytics providers and other third parties with access to sensitive behavioral data are not going away. AI-assisted social engineering that can convincingly impersonate IT staff will only become more accessible and harder to detect.
The defenses that work against ShinyHunters are the defenses that work against the broader class of financially motivated, data-focused extortion operations. Least privilege access, MFA everywhere, continuous monitoring of SaaS platforms, and organizational preparedness to respond to extortion without panic are not ShinyHunters-specific recommendations. They are the baseline from which any serious security program needs to operate.
Frequently Asked Questions
Who are ShinyHunters and when did they first appear?
ShinyHunters is a financially motivated black-hat group that began gaining public attention around 2019 and 2020, initially through database theft from consumer platforms. They operate by stealing large datasets and extorting victims under a pay-or-leak model.
What makes ShinyHunters different from ransomware gangs?
Traditional ransomware groups encrypt files to force payment. ShinyHunters skips the encryption step and leverages data theft alone. There is nothing to decrypt, which means there is no technical recovery path. The leverage is purely informational.
How did ShinyHunters attack the Snowflake platform in 2024?
The 2024 Snowflake campaign exploited stolen credentials obtained through infostealer malware. Accounts that lacked multi-factor authentication were accessible directly. The attack was not a platform vulnerability but a credential and configuration control failure.
What happened in the 2025 Pornhub incident?
ShinyHunters breached Mixpanel, a third-party analytics provider, through a smishing attack against Mixpanel employees. The exfiltrated data included historical analytics records tied to PornHub Premium users, covering over 200 million records including email addresses, search history, viewing behavior, and location data.
What is the 2026 Salesforce Experience Cloud breach?
Beginning in September 2025, ShinyHunters systematically scanned publicly accessible Salesforce Experience Cloud sites for misconfigured guest user permissions. Using a modified version of the legitimate AuraInspector tool, they queried CRM data through exposed API endpoints without authentication. By March 2026, they claimed data from 300 to 400 organizations.
How can organizations protect against ShinyHunters?
Restrict guest user permissions on public SaaS portals to the absolute minimum required. Enforce MFA on all cloud and SaaS accounts. Monitor API access logs continuously for anomalous activity. Train staff specifically on voice phishing scenarios. Have a tested incident response plan that covers data extortion.
What should individual users do after a ShinyHunters breach?
Change passwords on any affected platform immediately. Use a password manager with unique credentials for every account. Enable MFA wherever possible. Be alert to phishing emails following a breach, since your email address is now in a confirmed active database.