ShinyHunters


ShinyHunters is a notorious black-hat criminal hacker and extortion group that is believed to have formed in 2019, and is said to have been involved in a massively significant amount of data breaches. The group often extorts the company they've hacked, if the company does not pay the ransom the stolen information is sold or often leaked on the dark web. They use very aggressive tactics in order to get victims to comply with their demands.

Name and alias

The name of the group is believed to be derived from Shiny Pokémon, an aspect of the Pokémon video game franchise where Pokémon have a rare chance of being encountered in an alternate, "shiny" color scheme; players who actively try to collect such Pokémon through in-game strategies are often referred to as "shiny hunters".

Notable data breaches

  • Mathway: In January 2020, ShinyHunters breached Mathway, stealing roughly 25 million users' data. Mathway is a popular math app for students that helps solve algebraic equations.
  • Tokopedia: On 2 May 2020 Tokopedia was breached by ShinyHunters, which claimed to have data for 91 million user accounts, revealing users' gender, location, username, full name, email address, phone number, and hashed passwords.
  • Wishbone: Also in May 2020, ShinyHunters leaked the full user database of Wishbone, which is said to contain personal information such as usernames, emails, phone numbers, city/state/country of residence, and hashed passwords.
  • Microsoft: In May 2020, ShinyHunters also claimed to have stolen over 500 GB of Microsoft source code from the company's private GitHub account. The group published around 1GB of data from the hacked GitHub account to a hacking forum. Some cybersecurity experts doubted the claims until analyzing the code; upon analysis, ShinyHunters' claims were no longer in question. Microsoft told Wired in a statement that they are aware of the breach. Microsoft later secured their GitHub account, which was confirmed by ShinyHunters as they reported being unable to access any repositories.
  • Wattpad: In July 2020, ShinyHunters gained access to the Wattpad database containing 270 million user records. Information leaked included usernames, real names, hashed passwords, email addresses, geographic location, gender, and date of birth.
  • Pluto TV: In November 2020, it was reported that ShinyHunters gained access to the personal data of 3.2 million Pluto TV users. The hacked data included users' display names, email addresses, IP addresses, hashed passwords and dates of birth.
  • Animal Jam: It was also reported in November 2020 that ShinyHunters was behind the hack of Animal Jam, leading to the exposure of 46 million accounts.
  • Mashable: In November 2020, ShinyHunters leaked 5.22GB worth of the Mashable database on a prominent hacker forum.
  • Pixlr: In January 2021, ShinyHunters leaked 1.9 million user records from Pixlr.
  • Nitro PDF: In January 2021, a hacker claiming to be a part of ShinyHunters leaked the full database of Nitro PDF — which contains 77 million user records — on a hacker forum for free.
  • Bonobos: In January 2021 it was reported that ShinyHunters leaked the full Bonobos backup cloud database to a hacker forum. The database is said to contain the address, phone numbers, and order details for 7 million customers; general account information for another 1.8 million registered customers; and 3.5 million partial credit card records and hashed passwords.
  • AT&T Wireless: In 2021, ShinyHunters began selling information on 70 million AT&T wireless subscribers, which contained users' phone numbers, personal information and social security numbers. AT&T acknowledged the data breach in 2024.
  • Aditya Birla Fashion and Retail: In December 2021, Indian retailer Aditya Birla Fashion and Retail was breached and ransomed. The ransom demand was allegedly rejected and data containing 5.4 million unique email addresses were subsequently dumped publicly on a popular hacking forum the next month. The data contained extensive personal customer information including names, phone numbers, physical addresses, birth dates, order histories and passwords stored as MD5 hashes
  • AT&T Wireless : In April 2024, the ShinyHunters cyber criminal group hacked AT&T Wireless and stole data on over 110 million customers. In May, AT&T paid a $370,000 ransom to one of the group's members to delete the data.
  • Santander: On May 30, 2024, Santander was breached by ShinyHunters, which resulted in all Santander staff and '30 million' customers in Spain, Chile and Uruguay compromised.
  • Ticketmaster: The ShinyHunters cybercriminal group have claimed responsibility for breaching Ticketmaster via the Snowflake campaign.
  • PowerSchool: In December 2024, education-software vendor PowerSchool was breached; the attacker demanded $2.85 million and the company paid a ransom to prevent release of stolen student/teacher data. In early May 2025, new extortion emails began hitting individual school districts that were customers of PowerSchool, with outlets reporting attempts to leverage the stolen data from an earlier PowerSchool breach identified by CrowdStrike. One message shared with opened, "Hello, we are ShinyHunters," demanding payment from North Carolina authorities, though the publication cautioned it could not authenticate the sender's identity. BleepingComputer likewise reported that someone claiming to be ShinyHunters was re-extorting districts, while a person identifying as the group's leader told the outlet the culprit was an affiliate impersonating them.
  • Legal Aid Agency : The Ministry of Justice disclosed on 22 May 2025 that the Legal Aid Agency suffered a cyber incident affecting applicants who used its digital service from 2007 until systems were taken offline on 16 May 2025; the MoJ has not named a culprit and says investigations are ongoing. In August 2025, multiple outlets reported that a group using the ShinyHunters name posted on Telegram claiming responsibility and threatening to leak LAA data unless a member was freed; The Times and The ''Law Society Gazette'' covered the claim while noting authorities had not verified the posts and that the deadline passed without a leak.
  • LVMH : In mid-2025, luxury conglomerate LVMH confirmed that several of its brands – including Louis Vuitton, Dior, and Tiffany & Co. – experienced unauthorized access to a customer information database managed by a third-party platform. While each subsidiary disclosed limited details, investigators later tied these incidents to the ShinyHunters Salesforce data-theft campaign. The threat actors privately extorted the firms via email and were ultimately identified as part of the UNC6040/UNC6240 clusters described by Google.
  • Google: On June 4, 2025, Google Threat Intelligence Group reported on UNC6040, a cluster of voice-phishing campaigns targeting organizations' Salesforce instances. The attackers used modified versions of Data Loader to export Salesforce data and subsequently extort the victims. GTIG attributed the activity to ShinyHunters. According to , ShinyHunters have merged with Scattered Spider. On August 5, 2025, Google confirmed that a corporate Salesforce instance of Google's containing contact information and notes for small and medium-sized businesses had been compromised by UNC6040/ShinyHunters activity.
  • Qantas: In July 2025, Australian airline Qantas suffered a cyberattack that exposed data of approximately 5.7 million customers. Initially attributed to Scattered Spider by multiple professional security researchers and journalists. Later confirmed to be the work of the ShinyHunters cybercriminal group. According to and many others journalists/security researchers, ShinyHunters have merged with Scattered Spider.
  • Jaguar Land Rover: On September 2, 2025, Jaguar Land Rover disclosed a cyber incident and proactively shut down systems, causing severe disruption to production and retail operations. In the days that followed, outlets reported that a ShinyHunters/Scattered Spider–aligned collective claimed responsibility; JLR said there was no evidence of customer data theft at that time and notified the UK ICO.
  • Kering: In September 2025, ShinyHunters was linked to a major data breach affected Kering, the French luxury goods group that owns brands such as Gucci, Balenciaga, and Alexander McQueen. ShinyHunters claimed to have stolen personal data from Balenciaga, Gucci, Brioni, and Alexander McQueen. The group claimed they compromised 43,483,137 million records exclusively from Gucci and approximately 7.4 million unique customer records across Balenciaga, Brioni, and Alexander McQueen. The data included not limited to, names, email addresses, phone numbers, physical addresses, and total spend amounts from luxury store purchases. Kering confirmed the incident, stating that an unauthorized third party accessed limited customer information and that no financial data was compromised. ShinyHunters reportedly attempted to extort the company flowing the breach, which was identified in June 2025 and publicly disclosed months later.
  • Pornhub: In December 2025, ShinyHunters claimed responsibility for the Pornhub breach affected by the Mixpanel campaign. ShinyHunters claimed 94 GB of historical analytics data containing over 200 million records of Pornhub users email addresses, search history, watch/download activity, location data, and video metadata. ShinyHunters attempted to extort the company with threats of public release. Pornhub stated the incident stemmed from a third-party analytics service Mixpanel and that no passwords or financial information were compromised.
  • Soundcloud: In December 2025, ShinyHunters was linked to a SoundCloud breach that exposed personal information tied to roughly 29.8 million user accounts, including email addresses, usernames, avatars, follower count and locations. ShinyHunters allegedly accessed data via an ancillary service dashboard, and following attempted extortion the compromised records were reportedly published, underscoring the group's continued focus on large-scale data theft and ransom-or-release tactics.