{
	"id": "d9a8d64c-9e4f-4ba6-b843-06cc44b1f455",
	"created_at": "2026-04-06T00:20:01.237723Z",
	"updated_at": "2026-04-10T13:12:11.154598Z",
	"deleted_at": null,
	"sha1_hash": "6c641244c54f5b7c304bb6087cf0818f75306b61",
	"title": "Tokopedia and Microsoft Breach Broker selling fresh trove of 26 million accounts",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3414084,
	"plain_text": "Tokopedia and Microsoft Breach Broker selling fresh trove of 26\r\nmillion accounts\r\nArchived: 2026-04-05 18:02:40 UTC\r\nBlog\r\nMay 7, 2020 |by ZeroFox Research\r\nExecutive Summary\r\nZeroFox Alpha Team has identified a dark web breach broker selling three large, high-profile breaches. The\r\ndealer, who goes by the alias Shinyhunters, is offering these breach dumps for sale on a dark web forum, for prices\r\nbetween $1500 and $2500 USD. The ShinyHunters group has breached numerous organizations in recent weeks,\r\nincluding Tokopedia, a major Indonesia e-commerce company, and Unacademy, an Indian online learning\r\nplatform. Allegedly, the group is also behind the recent breach of Microsoft’s private GitHub repositories,\r\ncontaining the source code of future open-sourced projects. Although it has not yet been released, the\r\nShinyhunters group has threatened to release the code publicly for free. The new breaches include Chicago-based\r\nhome meal kit delivery service HomeChef, online printing and photo store ChatBooks, and Chronicle.com, a news\r\nwebsite dedicated to covering colleges and universities. In total, these breaches contain the user data and\r\npasswords of 26,000,000 accounts. \r\nHomeChef Breach\r\nThe HomeChef breach contains 8 million records, and a sample set of records was posted to a paste website. The\r\nrows contain emails, bcrypt passwords, IP addresses and a number of columns of PII such as last 4 of social\r\nsecurity numbers, zip codes and phone numbers. The breach has a sale price of $2500 USD.\r\nhttps://www.zerofox.com/blog/shinyhunters-breach/\r\nPage 1 of 6\n\nFigure 1: HomeChef Breach Sample Posted by Shiny Hunters\r\nhttps://www.zerofox.com/blog/shinyhunters-breach/\r\nPage 2 of 6\n\nFigure 2: HomeChef Breach Sellers Page\r\nChatbooks Breach\r\nThe Chatbooks breach contains 15 million rows of data. Shiny Hunters also posted a sample set to a paste website.\r\nThe rows contain emails, SHA-512 password hashes, social media access tokens and a number of personally\r\nidentifiable information. The breach has a sale price of $2000 USD.\r\nhttps://www.zerofox.com/blog/shinyhunters-breach/\r\nPage 3 of 6\n\nFigure 3: ChatBooks Breach Sample Posted by Shiny Hunters\r\nFigure 4: ChatBooks Breach Sellers Page\r\nChronicle.com Breach\r\nThe Chronicle.com breach contains 3 million records, but ShinyHunters did not post a sample set of data or\r\nindicate in their post what the data contains. The breach has a sale price of $1500 USD.\r\nFigure 5: Chronicle.com Breach Sellers Page\r\nhttps://www.zerofox.com/blog/shinyhunters-breach/\r\nPage 4 of 6\n\nOther aliases for ShinyHunters Breach Broker\r\nShinyHunters isn’t the only moniker this actor has used. The group made a post on May 6, 2020 on a popular\r\ncybercrime forum indicating that they’ve pilfered 500 GB of internal source code from Microsoft. \r\nFigure 6: Microsoft Breach Post by fs0c131y/Shiny Hunters\r\nAccording to BleepingComputer, ShinyHunters reached out to them directly to confirm the story. The sales ad for\r\nthe Microsoft leak was authored by “fs0c131y”, a popular moniker in the show Mr. Robot, as well as a popular\r\nhacker on Twitter. Using names from popular influencers on these forums is nothing new, for example Brian\r\nKrebs and Troy Hunt have impersonators. What links fs0c131y and Shiny Hunters, is that fs0c131y posted the\r\nsame contact information as their shop on the dark web.\r\nFigure 7: Tokopedia Breach Post by fs0c131y/Shiny Hunters\r\nConclusion\r\nShinyHunters is taking a page out of the book of gnosticplayers, the breach data broker who in 2018-2019\r\npilfered billions of records from dozens of companies and sold them online. Due to the verification of the\r\nTokopedia breach by multiple researchers and the company itself, ZeroFox Alpha Team has HIGH confidence that\r\nthese new breaches are legitimate, and will most likely be available on other breach marketplaces at lower prices\r\nhttps://www.zerofox.com/blog/shinyhunters-breach/\r\nPage 5 of 6\n\nin the near future. It is likely that this actor will continue to breach companies and post their content for sale.\r\nThese tactics proved both successful and profitable for gnosticplayers, and it is likely they will continue to appeal\r\nto other breach brokers for these reasons.\r\nTags: Breaches\r\nSource: https://www.zerofox.com/blog/shinyhunters-breach/\r\nhttps://www.zerofox.com/blog/shinyhunters-breach/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.zerofox.com/blog/shinyhunters-breach/"
	],
	"report_names": [
		"shinyhunters-breach"
	],
	"threat_actors": [
		{
			"id": "c071c8cd-f854-4bad-b28f-0c59346ec348",
			"created_at": "2023-11-08T02:00:07.132524Z",
			"updated_at": "2026-04-10T02:00:03.422366Z",
			"deleted_at": null,
			"main_name": "ShinyHunters",
			"aliases": [],
			"source_name": "MISPGALAXY:ShinyHunters",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2",
			"created_at": "2025-10-24T02:04:50.086223Z",
			"updated_at": "2026-04-10T02:00:03.770068Z",
			"deleted_at": null,
			"main_name": "GOLD CRYSTAL",
			"aliases": [
				"Scattered LAPSUS$ Hunters",
				"ShinyCorp",
				"ShinyHunters"
			],
			"source_name": "Secureworks:GOLD CRYSTAL",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "1609af91-e258-4058-9caa-59e7d171aecb",
			"created_at": "2022-10-25T16:07:24.491691Z",
			"updated_at": "2026-04-10T02:00:05.008935Z",
			"deleted_at": null,
			"main_name": "Gnosticplayers",
			"aliases": [],
			"source_name": "ETDA:Gnosticplayers",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "56d15cc7-f9c1-451f-bdde-8c283e3cf15b",
			"created_at": "2023-01-06T13:46:39.015288Z",
			"updated_at": "2026-04-10T02:00:03.181411Z",
			"deleted_at": null,
			"main_name": "Gnosticplayers",
			"aliases": [],
			"source_name": "MISPGALAXY:Gnosticplayers",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "d8dff631-87b0-4320-8352-becff28dbcf1",
			"created_at": "2022-10-25T16:07:24.565038Z",
			"updated_at": "2026-04-10T02:00:05.034516Z",
			"deleted_at": null,
			"main_name": "ShinyHunters",
			"aliases": [],
			"source_name": "ETDA:ShinyHunters",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434801,
	"ts_updated_at": 1775826731,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6c641244c54f5b7c304bb6087cf0818f75306b61.pdf",
		"text": "https://archive.orkl.eu/6c641244c54f5b7c304bb6087cf0818f75306b61.txt",
		"img": "https://archive.orkl.eu/6c641244c54f5b7c304bb6087cf0818f75306b61.jpg"
	}
}