{ "id": "92e850ed-c95c-476e-97ab-48624ebdda66", "created_at": "2026-04-06T00:16:26.777963Z", "updated_at": "2026-04-10T13:11:35.717836Z", "deleted_at": null, "sha1_hash": "692ddb06f35d442cf471b9eb74e8f22cb1e900b8", "title": "ShinyHunters claims Santander breach, selling data for 30M customers", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3190945, "plain_text": "ShinyHunters claims Santander breach, selling data for 30M customers\r\nBy Lawrence Abrams\r\nPublished: 2024-05-31 ยท Archived: 2026-04-05 20:25:36 UTC\r\nA threat actor known as ShinyHunters is claiming to be selling a massive trove of Santander Bank data, including\r\ninformation for 30 million customers, employees, and bank account data, two weeks after the bank reported a data breach.\r\nShinyHunters is known for selling and leaking data from numerous companies over the years, including this week's alleged\r\nmassive Ticketmaster data breach impacting 560 million people.\r\nThey're also the owner of BreachForums, a notorious online community trafficking in the sale and leaking of stolen data\r\nwhich has survived several law enforcement takedowns over the past couple of years\r\nhttps://www.bleepingcomputer.com/news/security/shinyhunters-claims-santander-breach-selling-data-for-30m-customers/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/shinyhunters-claims-santander-breach-selling-data-for-30m-customers/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nTwo weeks ago, Spain's largest bank, Santander, disclosed a data breach after detecting unauthorized access to a database\r\nhosted by a third-party provider.\r\nThe company's investigation determined that the threat actor accessed data for employees and customers in Chile, Spain, and\r\nUruguay.\r\n\"Following an investigation, we have now confirmed that certain information relating to customers of Santander Chile,\r\nSpain and Uruguay, as well as all current and some former Santander employees of the group had been accessed,\" reads a\r\nstatement from Santander.\r\n\"Customer data in all other Santander markets and businesses are not affected.\"\r\nFast forward two weeks, and as first spotted by Dark Web Informer, ShinyHunters is now claiming to sell the data for\r\nSantander customers in Chile, Spain, and Uruguay for $2 million, the same data the bank reported was stolen.\r\nSelling of Santander Bank data on a hacking forum\r\nSource: BleepingComputer\r\nShinyHunters claims that the stolen data contains the personal information of 30 million customers and employees, 28\r\nmillion credit card numbers, and 6 million account numbers and balances.\r\nAs part of the sale listing, the threat actor also shared samples of the data that contains the listed information but cannot be\r\nconfirmed to belong to Santander.\r\nIt should be noted that Santander's Q1 2024 financial report states that there are only 19.5 million customers in those\r\ncountries, rather than tht 30 million claimed by the threat actor.\r\nThis sales listing comes soon after the FBI seized BreachForums on May 15th, which was operated by ShinyHunters and\r\nanother threat actor known as Baphomet.\r\nWhile ShinyHunters says that Baphomet was arrested, he quickly restored the BreachForums site from a backup to a new\r\ndomain.\r\nSince then, the threat actor posted the sale of Ticketmaster and Santander, which some feel was done to restore the\r\nreputation of the site after its takedown by law enforcement.\r\nHowever, what makes these sales unusual is that both were first listed on the Russian-speaking Exploit hacking forum days\r\nbefore they were listed on the newly-restored BreachForums.\r\nhttps://www.bleepingcomputer.com/news/security/shinyhunters-claims-santander-breach-selling-data-for-30m-customers/\r\nPage 3 of 5\n\nSantander data sold on Exploit earlier in the week\r\nSource: Kela\r\nThese sales were listed under the accounts of new members, with no reference to BreachForums or ShinyHunters, making\r\nothers believe the sale on BreachForums is a fake.\r\nHowever, ShinyHunters has commonly acted as a data breach broker for other threat actors in the past, and it is not\r\nuncommon for these threat actors to create new aliases on various forums to sell stolen data.\r\nWhile TicketMaster has not confirmed whether a data breach occurred, ShinyHunters has a reputation for selling valid data\r\nbreaches in the past.\r\nIn 2021, Shiny Hunters claimed to be selling the stolen data of 73 million AT\u0026T customers, which the company repeatedly\r\ndenied to BleepingComputer.\r\n\"I don't care if they don't admit. I'm just selling,\" ShinyHunters told BleepingComputer at the time.\r\nIn 2024, after the AT\u0026T data was leaked on a hacking forum, AT\u0026T finally confirmed that the data was legitimate and that\r\nthey had suffered a breach.\r\nIn the past, ShinyHunters has breached or leaked the data for numerous companies, including Wattpad, Tokopedia,\r\nMicrosoft's GitHub account, BigBasket, Nitro PDF, Pixlr, TeeSpring, Promo.com, Mathway, and many more.\r\nhttps://www.bleepingcomputer.com/news/security/shinyhunters-claims-santander-breach-selling-data-for-30m-customers/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/shinyhunters-claims-santander-breach-selling-data-for-30m-customers/\r\nhttps://www.bleepingcomputer.com/news/security/shinyhunters-claims-santander-breach-selling-data-for-30m-customers/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://www.bleepingcomputer.com/news/security/shinyhunters-claims-santander-breach-selling-data-for-30m-customers/" ], "report_names": [ "shinyhunters-claims-santander-breach-selling-data-for-30m-customers" ], "threat_actors": [ { "id": "c071c8cd-f854-4bad-b28f-0c59346ec348", "created_at": "2023-11-08T02:00:07.132524Z", "updated_at": "2026-04-10T02:00:03.422366Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "MISPGALAXY:ShinyHunters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-10T02:00:03.770068Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "9041c438-4bc0-4863-b89c-a32bba33903c", "created_at": "2023-01-06T13:46:38.232751Z", "updated_at": "2026-04-10T02:00:02.888195Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove" ], "source_name": "MISPGALAXY:Nitro", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "a2b44a04-a080-4465-973d-976ce53777de", "created_at": "2022-10-25T16:07:23.911791Z", "updated_at": "2026-04-10T02:00:04.786538Z", "deleted_at": null, "main_name": "Nitro", "aliases": [ "Covert Grove", "Nitro" ], "source_name": "ETDA:Nitro", "tools": [ "AngryRebel", "Backdoor.Apocalipto", "Chymine", "Darkmoon", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "Moudour", "Mydoor", "PCClient", "PCRat", "Poison Ivy", "SPIVY", "Spindest", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "d8dff631-87b0-4320-8352-becff28dbcf1", "created_at": "2022-10-25T16:07:24.565038Z", "updated_at": "2026-04-10T02:00:05.034516Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "ETDA:ShinyHunters", "tools": [], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434586, "ts_updated_at": 1775826695, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/692ddb06f35d442cf471b9eb74e8f22cb1e900b8.pdf", "text": "https://archive.orkl.eu/692ddb06f35d442cf471b9eb74e8f22cb1e900b8.txt", "img": "https://archive.orkl.eu/692ddb06f35d442cf471b9eb74e8f22cb1e900b8.jpg" } }