What Happened to ShinyHunters (Hacking Group)?
ShinyHunters is a prolific black-hat criminal hacking and extortion group that emerged in 2019, specializing in large-scale data theft from companies across various sectors. The group employs sophisticated social engineering tactics, including voice phishing, to gain access to cloud applications and then extorts victims with a 'pay or leak' strategy, often selling stolen data on dark web forums. As of May 2026, ShinyHunters remains highly active, claiming responsibility for multiple significant breaches, including major incidents affecting educational institutions and global corporations.
Quick Answer
ShinyHunters is an active and financially motivated cybercriminal group known for its extensive data breaches and extortion tactics. Since its emergence in 2019, the group has targeted numerous high-profile companies and institutions, stealing vast amounts of personal and corporate data. In 2026 alone, ShinyHunters has claimed responsibility for breaches affecting major entities like Instructure (Canvas LMS), ADT, the European Commission, and Rockstar Games, and is actively marketing massive datasets from AT&T, Ticketmaster, and Santander. Despite some arrests of associated individuals, the group continues to operate, leveraging advanced social engineering and supply chain attacks.
📊Key Facts
📅Complete Timeline13 events
Group Formation
ShinyHunters, a black-hat criminal hacker and extortion group, is believed to have formed and begun its operations.
Tokopedia Data Breach
ShinyHunters claimed to have breached Indonesian e-commerce giant Tokopedia, stealing data for 91 million user accounts, including personal details and hashed passwords.
Microsoft Source Code Theft Claim
The group claimed to have stolen over 500 GB of Microsoft source code from the company's private GitHub account, publishing a portion as proof. Microsoft later confirmed the breach.
Bonobos Database Leak
ShinyHunters leaked the full backup cloud database of clothing retailer Bonobos, containing address, phone numbers, order details for 7 million customers, and partial credit card records.
Sébastien Raoult Sentenced
French national Sébastien Raoult, linked to ShinyHunters activities, was sentenced to three years in a U.S. prison and ordered to pay over $5 million in restitution for cybercrimes.
Ticketmaster and Santander Breaches (Snowflake Campaign)
ShinyHunters claimed responsibility for breaching Ticketmaster, exposing data for approximately 560 million users, and Santander Bank, affecting 30 million records, as part of a wider campaign targeting Snowflake customers.
Salesforce Cloud Customer Campaign
Google's Threat Intelligence team identified UNC6040 (ShinyHunters) using voice phishing to compromise Salesforce cloud customers, leading to mass data exfiltration and extortion from companies like Adidas and LVMH brands.
Instructure (Canvas) Salesforce Breach
Instructure, the company behind Canvas LMS, disclosed a breach of its Salesforce instance due to a social engineering attack, later attributed to ShinyHunters.
European Commission Data Leak
ShinyHunters hacked and leaked over 350GB of data from the European Commission, affecting 42 internal clients and at least 29 EU entities, including PII and sensitive documents.
ADT and Rockstar Games Breaches
ShinyHunters stole personal information of 5.5 million ADT customers via an Okta SSO compromise and claimed to have breached Rockstar Games, exfiltrating nearly 80 million records.
Instructure (Canvas) Massive Data Breach
ShinyHunters claimed responsibility for exfiltrating 3.65 TB of data, impacting an estimated 275 million users across 9,000 educational institutions using the Canvas LMS. Exposed data includes names, email addresses, student IDs, and private messages.
Mega-Leak Marketing on Telegram
ShinyHunters began aggressively marketing massive datasets on Telegram, including 200 million AT&T records (with SSNs), 560 million Ticketmaster/Live Nation customer records, and 30 million Santander Group records (with credit card numbers).
Instructure (Canvas) Ransom Deadline Extension
ShinyHunters reiterated their responsibility for the Instructure breach and extended the deadline for affected schools to contact them for negotiations until the end of May 12, 2026.
🔍Deep Dive Analysis
ShinyHunters, a prominent black-hat cybercriminal group, first gained notoriety around 2019 for its financially motivated data theft and extortion activities. The group's primary modus operandi involves breaching corporate networks, exfiltrating large volumes of sensitive data, and then demanding ransom payments under the threat of publicly leaking or selling the stolen information on dark web forums. Unlike traditional ransomware groups, ShinyHunters typically focuses on data exfiltration rather than system encryption.
Initially, ShinyHunters became known for a spree of database breaches in 2020, impacting companies like Mathway (25 million users), Tokopedia (91 million users), and Wattpad (270 million users). They also claimed to have stolen 500 GB of Microsoft source code, a claim later verified by cybersecurity experts. The group's tactics evolved, increasingly relying on sophisticated social engineering, particularly voice phishing (vishing), to compromise credentials for Software-as-a-Service (SaaS) and cloud applications. This approach allows them to bypass traditional authentication methods and gain access to systems like Salesforce, Okta Single Sign-On (SSO), and Snowflake.
A significant turning point occurred in 2024 with the 'Snowflake campaign,' where ShinyHunters claimed responsibility for breaches affecting numerous Snowflake-related customers, including Ticketmaster (560 million users) and Santander Bank (30 million records). This demonstrated their capability to leverage supply chain vulnerabilities through third-party integrators like Anodot. In 2025, the group was linked to a widespread Salesforce campaign, which Google's Threat Intelligence team tracked as UNC6040, involving vishing to trick employees into installing malicious applications. This campaign impacted major entities such as Google, Adidas, and LVMH brands. There were also reports of operational overlap and collaboration with other prominent cybercriminal groups like Scattered Spider and Lapsus$, leading to the formation of the 'Scattered LAPSUS$ Hunters' collective.
Current Status as of May 7, 2026: ShinyHunters remains highly active and continues its aggressive data theft and extortion campaigns. The year 2026 has seen a rapid succession of high-profile incidents attributed to the group. In January 2026, they were linked to breaches at Panera Bread and Dutch telecom Odido. February saw attacks on Figure Technology Solutions and Wynn Resorts. March brought a significant breach of the European Commission, where 350 GB of data were exfiltrated. April included breaches affecting ADT (5.5 million individuals), Rockstar Games (80 million records claimed), McGraw-Hill, and Udemy.
The most recent and extensive activity involves the education sector. On May 1, 2026, ShinyHunters claimed a massive breach of Instructure, the parent company of the widely used Canvas learning management system. They asserted the theft of 3.65 terabytes of data, potentially impacting 275 million users across 9,000 educational institutions worldwide, including names, email addresses, student IDs, and private messages. Instructure confirmed unauthorized access and stated that the vulnerability had been patched. ShinyHunters issued a deadline of May 6th/7th for ransom payments from affected institutions, with a follow-up claim on May 7th, 2026, giving schools until May 12th to contact them. Concurrently, as of May 6, 2026, the group is aggressively marketing massive datasets from AT&T (200 million records including SSNs), Ticketmaster/Live Nation (560 million customers), and Santander Group (30 million records) on Telegram, indicating a continued focus on monetizing stolen data. While some arrests have been made, including Sébastien Raoult in 2024 and four members in France in 2025, the core group remains operational and highly effective.
What If...?
Explore alternate histories. What if ShinyHunters (Hacking Group) made different choices?