{
	"id": "569dfa6f-f784-4cce-b06f-a07686662ce4",
	"created_at": "2026-04-06T00:07:25.154799Z",
	"updated_at": "2026-04-10T13:12:01.184089Z",
	"deleted_at": null,
	"sha1_hash": "2393d5f76ccd48411964901913f13c71e1c85cc2",
	"title": "Data Breaches: ShinyHunters' Dominance Continues",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 274535,
	"plain_text": "Data Breaches: ShinyHunters' Dominance Continues\r\nBy Mathew J. Schwartz\r\nArchived: 2026-04-05 14:30:07 UTC\r\nCybercrime , Fraud Management \u0026 Cybercrime , Fraud Risk Management\r\nProlific Cybercrime Group Recently Tied to Breaches of E-Commerce and Dating Sites (euroinfosec) • February\r\n18, 2021    \r\nShinyHunters disclosed its breach of dating site MeetMindful.com by dumping stolen data on the\r\ncybercrime forum RaidForums.\r\nThe ShinyHunters cybercrime operation runs a data exfiltration and sales business that appears to be off to a\r\nroaring start again this year, following on the heels of its data breach spree last year.\r\nSee Also: Gen AI Stalls, Shadow AI Rises: A CISO Concern\r\n\"ShinyHunters released a tsunami of sensitive data in 2020,\" says cybersecurity firm Risk Based Security, noting\r\nthat the group had been tied to \"data dumps that ultimately exposed over 550 million user records.\"\r\nAfter nearly 50 data breaches in 2020, so far this year, the gang has already taken credit for recent data breaches at\r\ne-commerce site Bonobo and dating site MeetMindful.\r\nKnown Breaches Have Declined\r\nTo give the group's activities some context, in 2020, the overall count of breached organizations and records\r\ndeclined slightly compared to 2019, according to the Identity Theft Resource Center, a nonprofit organization\r\nhttps://www.bankinfosecurity.com/blogs/data-breaches-shinyhunters-dominance-continues-p-2998\r\nPage 1 of 5\n\nbased in San Diego, California, that provides no-cost assistance to U.S. identity theft victims to help resolve their\r\ncases.\r\nWhile that trend is good news, the bad news is the decline can be traced to many criminals having found more\r\nlucrative outlets. Indeed, James E. Lee, COO of ITRC, says many cybercrime gangs have retooled to run\r\nransomware and phishing attacks - especially those leading to business email compromise schemes. These attacks\r\ndon't require much stolen data to be successful.\r\n\"We really only need two data elements to commit those kinds of crimes - you need a login and a password,\" Lee\r\nsays. \"If you have a login and a password, you can commit ransomware. If you run a phishing attack, what are you\r\ntrying to get? A login and a password.\"\r\nOf course, many ransomware-wielding gangs have then been grabbing customer records before leaving systems\r\ncrypto-locked, and posting the stolen data to dedicated data-leak sites to pressure more victims into paying. But\r\nunlike historical breaches, oftentimes ransomware gangs don't necessarily seem to aim for valuable customer data,\r\nbut rather just any corporate records they can get their hands on.\r\nHackers Sell Stolen Data\r\nSome non-ransomware-wielding cybercrime gangs, however, continue to wage data breach campaigns, attempting\r\nto steal large amounts of data and sell it to others who might use it for payment card fraud, credential-stuffing\r\nattacks or extortion efforts.\r\nBased on breach notification reports issued by U.S. firms, last year, 1,108 organizations suffered a breach - 676 of\r\nwhich included ransomware as an element of the attack - which collectively exposed information on more than\r\n300 million individuals, ITRC reports. Note that not all organizations that report they were breached specify what\r\nwas exposed or how many individuals might have been affected.\r\nCompared to 2019 - when 1,362 organizations collectively reported 887 million individuals' personal details\r\ngetting exposed - the overall number of breaches declined by 19% in 2020.\r\nhttps://www.bankinfosecurity.com/blogs/data-breaches-shinyhunters-dominance-continues-p-2998\r\nPage 2 of 5\n\nReported U.S. data breaches and inadvertent data exposure in 2020 (Source: ITRC)\r\nRisk Based Security, in its tally of publicly reported data breaches around the world in 2020, counted 3,932\r\nbreaches, which was a 48% decline compared to 2019. Last year, the most affected industry globally was\r\nhealthcare, which accounted for 12% of all breached organizations, the security firm says.\r\nShinyHunters' Big Year\r\nMany of last year's biggest hits apparently trace back to one gang: ShinyHunters.\r\n\"ShinyHunters first rose to prominence in May 2020 by attempting to sell a number of valuable databases on the\r\ndark web,\" Risk Based Security says. \"Dubbed 'stage 1' by the threat actor, they promised more databases in the\r\nfuture. While the dark web marketplace listings caught the attention of the media, ShinyHunters had already\r\nbegun to leak databases on dark web hacking forums.\"\r\nMore attacks soon followed last year: Risk Based Security says ShinyHunters was ultimately connected to six\r\nattacks from April to May, 25 attacks in July and 16 attacks from October to November.\r\nLast July, for example, the group hit Dave, a mobile-only banking startup with a valuation of more than $1 billion,\r\nexposing 3 million accounts. Dave blamed the intrusion on \"a breach at Waydev, one of Dave’s former third-party\r\nservice providers.\"\r\nhttps://www.bankinfosecurity.com/blogs/data-breaches-shinyhunters-dominance-continues-p-2998\r\nPage 3 of 5\n\nStolen data from Dave for sale on RaidForums (Source: ZeroFOX)\r\nAnother example: Last November, ShinyHunters hit India's online grocery delivery service BigBasket, posting\r\npurported details of 20 million customers online.\r\nBig January Breaches\r\nShinyHunters already looks set to dominate this year's data breach charts.\r\nThe gang's operations have continued with a hit against e-commerce store Bonobo, owned by Walmart, which\r\nsells men's clothing. Last month, ShinyHunters posted stolen Bonobo data to cybercrime forum RaidForums,\r\nincluding account information for nearly 2 million registered users, Bleeping Computer reported.\r\nAlso last month, the group disclosed a hit against dating site MeetMindful.com. In a Jan. 20 post to RaidForums,\r\nShinyHunters posted a link to a 320MB \"mindful.7z\" archive, containing details on 1.4 million accounts and\r\nexposing information for 2.3 million users of the service.\r\nMeetMindful confirmed the breach on Jan. 24 and recommended all users change their passwords. It said some\r\nusers' names, email addresses, Bcrypt-hashed passwords, Facebook access tokens and geolocation information,\r\namong other details, had been exposed.\r\nHistorical Breaches Surface\r\nMore ShinyHunters hits from 2020 are also coming to light.\r\nIn January, for example, a RaidForums user called \"Spiral\" posted what they said was the set of data exposed in\r\nthe September 2020 breach of Australian PDF-creation service Nitro, which the user said had been \"dumped by\r\nhttps://www.bankinfosecurity.com/blogs/data-breaches-shinyhunters-dominance-continues-p-2998\r\nPage 4 of 5\n\nShinyHunters.\" That data dump contained 70 million unique email addresses, as described by free breach\r\nnotification site Have I Been Pwned, run by security expert Troy Hunt, who received the information from a\r\nsecurity researcher.\r\n\"This is the same database that Troy Hunt has, including all the users, contacts, filenames and so on,\" Spiral\r\nclaimed of the dump.\r\nIn October 2020, cybersecurity intelligence firm Cyble told Bleeping Computer that the stolen information was\r\nbeing privately auctioned with a start price of $80,000. But ShinyHunters later offered it for free.\r\nOn Feb. 5, another RaidForums user named \"sl4ckto\" posted what the user said was all of the records stolen from\r\nthe Sept. 4, 2020, breach of Singapore-based hotel booking and management platform RedDoorz. That breach\r\nreportedly resulted in the theft of a database with 5.8 million user records. And sl4ckto said ShinyHunters was\r\nresponsible, again offering the data for free.\r\nStolen Data: For Sale, Then Free\r\n\"ShinyHunters has made a number of posts about being frustrated that people were reselling their data, so they\r\nrelease it for free or dirt cheap,\" Zack Allen, director of threat intelligence at ZeroFOX, told me last year.\r\nBut marketing savvy is a more likely explanation for why the group releases data for which it has already been\r\npaid, and which has gone into wide circulation - at least via cybercrime forums. \"They will breach a company, sell\r\nthe data privately, then once that breach becomes more available, they will leak it to still build hype,\" Allen said.\r\nWhile it's the early days for breaches in 2021, so far, ShinyHunters appears to be continuing to run with that data\r\nbreach playbook.\r\nSource: https://www.bankinfosecurity.com/blogs/data-breaches-shinyhunters-dominance-continues-p-2998\r\nhttps://www.bankinfosecurity.com/blogs/data-breaches-shinyhunters-dominance-continues-p-2998\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.bankinfosecurity.com/blogs/data-breaches-shinyhunters-dominance-continues-p-2998"
	],
	"report_names": [
		"data-breaches-shinyhunters-dominance-continues-p-2998"
	],
	"threat_actors": [
		{
			"id": "c071c8cd-f854-4bad-b28f-0c59346ec348",
			"created_at": "2023-11-08T02:00:07.132524Z",
			"updated_at": "2026-04-10T02:00:03.422366Z",
			"deleted_at": null,
			"main_name": "ShinyHunters",
			"aliases": [],
			"source_name": "MISPGALAXY:ShinyHunters",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2",
			"created_at": "2025-10-24T02:04:50.086223Z",
			"updated_at": "2026-04-10T02:00:03.770068Z",
			"deleted_at": null,
			"main_name": "GOLD CRYSTAL",
			"aliases": [
				"Scattered LAPSUS$ Hunters",
				"ShinyCorp",
				"ShinyHunters"
			],
			"source_name": "Secureworks:GOLD CRYSTAL",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "9041c438-4bc0-4863-b89c-a32bba33903c",
			"created_at": "2023-01-06T13:46:38.232751Z",
			"updated_at": "2026-04-10T02:00:02.888195Z",
			"deleted_at": null,
			"main_name": "Nitro",
			"aliases": [
				"Covert Grove"
			],
			"source_name": "MISPGALAXY:Nitro",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "a2b44a04-a080-4465-973d-976ce53777de",
			"created_at": "2022-10-25T16:07:23.911791Z",
			"updated_at": "2026-04-10T02:00:04.786538Z",
			"deleted_at": null,
			"main_name": "Nitro",
			"aliases": [
				"Covert Grove",
				"Nitro"
			],
			"source_name": "ETDA:Nitro",
			"tools": [
				"AngryRebel",
				"Backdoor.Apocalipto",
				"Chymine",
				"Darkmoon",
				"Farfli",
				"Gen:Trojan.Heur.PT",
				"Gh0st RAT",
				"Ghost RAT",
				"Moudour",
				"Mydoor",
				"PCClient",
				"PCRat",
				"Poison Ivy",
				"SPIVY",
				"Spindest",
				"pivy",
				"poisonivy"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d8dff631-87b0-4320-8352-becff28dbcf1",
			"created_at": "2022-10-25T16:07:24.565038Z",
			"updated_at": "2026-04-10T02:00:05.034516Z",
			"deleted_at": null,
			"main_name": "ShinyHunters",
			"aliases": [],
			"source_name": "ETDA:ShinyHunters",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434045,
	"ts_updated_at": 1775826721,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2393d5f76ccd48411964901913f13c71e1c85cc2.pdf",
		"text": "https://archive.orkl.eu/2393d5f76ccd48411964901913f13c71e1c85cc2.txt",
		"img": "https://archive.orkl.eu/2393d5f76ccd48411964901913f13c71e1c85cc2.jpg"
	}
}