ShinyHunters

ShinyHunters is a black-hat criminal hacker group that is believed to have formed in 2020 and is said to have been involved in numerous data breaches. The stolen information is often sold on the dark web.[1][2]

Name and alias

The name of the group is believed to be derived from shiny Pokémon, a mechanic in the Pokémon video game franchise where Pokémon have a rare chance of being encountered in an alternate, "shiny" color scheme, with such Pokémon considered elusive to players.[3] The avatar of a Twitter profile tied to the group contains a picture of a shiny Pokémon.[3]

Notable data breaches

  • AT&T Wireless: In 2021, ShinyHunters began selling information on 70 million AT&T wireless subscribers, which contained user's phone numbers, personal information and social security numbers. AT&T acknowledges the databreach in 2024.[4][5][6]
  • Tokopedia: On 2 May 2020 Tokopedia was breached by ShinyHunters, which claimed to have data for 91 million user accounts, revealing users' gender, location, username, full name, email address, phone number, and hashed passwords.[1]
  • Wishbone: Also in May 2020, ShinyHunters leaked the full user database of Wishbone, which is said to contain personal information such as usernames, emails, phone numbers, city/state/country of residence, and hashed passwords.[7]
  • Microsoft: In May 2020, ShinyHunters also claimed to have stolen over 500 GB of Microsoft source code from the company's private GitHub account. The group published around 1GB of data from the hacked GitHub account to a hacking forum. Some cybersecurity experts doubted the claims until analyzing the code; upon analysis, ShinyHunters' claims were no longer in question. Microsoft told Wired in a statement that they are aware of the breach. Microsoft later secured their GitHub account, which was confirmed by ShinyHunters as they reported being unable to access any repositories.[8][9][10]
  • Wattpad: In July 2020, ShinyHunters gained access to the Wattpad database containing 270 million user records. Information leaked included usernames, real names, hashed passwords, email addresses, geographic location, gender, and date of birth.[11][12][13]
  • Pluto TV: In November 2020, it was reported that ShinyHunters gained access to the personal data of 3.2 million Pluto TV users. The hacked data included users' display names, email addresses, IP addresses, hashed passwords and dates of birth.[14][15]
  • Animal Jam: It was also reported in November 2020 that ShinyHunters was behind the hack of Animal Jam, leading to the exposure of 46 million accounts.[16][17]
  • Mashable: In November 2020, ShinyHunters leaked 5.22GB worth of the Mashable database on a prominent hacker forum.[18]
  • Pixlr: In January 2021, ShinyHunters leaked 1.9 million user records from Pixlr.[19]
  • Nitro PDF: In January 2021, a hacker claiming to be a part of ShinyHunters leaked the full database of Nitro PDF — which contains 77 million user records — on a hacker forum for free.[20]
  • Bonobos: Also in January 2021 it was reported that ShinyHunters leaked the full Bonobos backup cloud database to a hacker forum. The database is said to contain the address, phone numbers, and order details for 7 million customers; general account information for another 1.8 million registered customers; and 3.5 million partial credit card records and hashed passwords.[21]
  • Aditya Birla Fashion and Retail: In December 2021, Indian retailer Aditya Birla Fashion and Retail were breached and ransomed. The ransom demand was allegedly rejected and data containing 5.4M unique email addresses were subsequently dumped publicly on a popular hacking forum the next month. The data contained extensive personal customer information including names, phone numbers, physical addresses, DoBs, order histories and passwords stored as MD5 hashes[22]
  • Mathway: In January 2020, ShinyHunters breached Mathway, stealing roughly 25 million users data. Mathway is a popular math app for students that helps solve algebraic equations.
  • Santander: On 30 May 2024 Santander was breached by ShinyHunters, which resulted in all Santander staff and '30 million' customers in Spain, Chile and Uruguay hacked.[23]
  • Ticketmaster: Hackers working with ShinyHunters have claimed responsibility for breaching Ticketmaster.[24]
  • AT&T Wireless: In April of 2024, hackers affiliated with ShinyHunters hacked AT&T Wireless and stole data on over 110 million customers. In May, AT&T paid a $370,000 ransom to one of the group's members to delete the data.[25]

Other data breaches

The following are other hacks that have been credited to or allegedly done by ShinyHunters. The estimated impacts of user records affected are also given.[26][27][28]

Lawsuits

ShinyHunters group is under investigation by the FBI, the Indonesian police, and the Indian police for the Tokopedia breach. Tokopedia's CEO and founder also confirmed this claim via a statement on Twitter.[39][40]

Minted company reported the group's hack to US federal law enforcement authorities; the investigation is underway.[41]

Administrative documents from California reveal how ShinyHunters' hack has led to Mammoth Media, the creator of the app Wishbone, getting hit with a class-action lawsuit.[42]

Animal Jam stated that they are preparing to report ShinyHunters to the FBI Cyber Task Force and notify all affected emails. They have also created a 'Data Breach Alert' on their site to answer questions related to the breach.[43]

BigBasket filed a First Information Report (FIR) on November 6, 2020, to the Bengaluru Police to investigate the incident.[44]

Dave also initiated an investigation against the group for the company's security breach. The investigation is ongoing and the company is coordinating with local law enforcement and the FBI.[45]

Wattpad stated that they reported the incident to law enforcement and engaged third-party security experts to assist them in an investigation.[46]

Arrests

In May 2022, Sébastien Raoult, a French programmer suspected of belonging to the group, was arrested in Morocco and extradited to the United States. He faced 20 to 116 years in prison.[47][48]

In January 2024 Raoult was sentenced to three years in prison and ordered to return five million dollars.[49] Twelve months of the sentence are for conspiracy to commit wire fraud and the remainder for aggravated identity theft.[49] He will face 36 months of supervised release afterwards.[49] Raoult had worked for the group for more than two years according to the US Attorney's Office for the Western District of Washington.[49]

References

  1. ^ a b "ShinyHunters Is a Hacking Group on a Data Breach Spree". Wired. ISSN 1059-1028. Retrieved 2021-01-25.
  2. ^ Cimpanu, Catalin. "A hacker group is selling more than 100 billion user records on the dark web". ZDNet. Retrieved 2021-01-25.
  3. ^ a b Hernandez, Patricia (2 February 2016). "One Man's Five-Year Quest To Find A Shiny Pokémon". Kotaku. Archived from the original on 16 December 2017. Retrieved 15 December 2017.
  4. ^ "A Notorious Hacker Gang Claims to Be Selling Data on 70 Million AT&T Subscribers". GIzmodo. 21 August 2021. Retrieved 26 August 2023.
  5. ^ "AT&T finally acknowledged the data breach". Bleeping Computer. Retrieved 26 August 2023.
  6. ^ "AT&T acknowledges data breach affecting 51 million people - Panda Security". 12 April 2024.
  7. ^ Cimpanu, Catalin. "Hacker leaks 40 million user records from popular Wishbone app". ZDNet. Retrieved 2021-01-25.
  8. ^ "Microsoft's GitHub account breached by threat actors Shiny Hunters". TechGenix. May 21, 2020.
  9. ^ "'Shiny Hunters' bursts onto dark web scene following spate of breaches". SC Media. May 8, 2020.
  10. ^ "Microsoft's GitHub account hacked, private repositories stolen". BleepingComputer.
  11. ^ Deschamps, Tara (2020-07-21). "Wattpad storytelling platform says hackers had access to user email addresses". CTVNews. Retrieved 2021-01-25.
  12. ^ "Wattpad warns of data breach that stole user info | CBC News". CBC. Retrieved 2021-01-25.
  13. ^ "Wattpad data breach exposes account info for millions of users". BleepingComputer. Retrieved 2021-01-25.
  14. ^ "ShinyHunters hacked Pluto TV service, 3.2M accounts exposed". Security Affairs. 2020-11-15. Retrieved 2021-01-25.
  15. ^ "3 Million Pluto TV Users' Data Was Hacked, But the Company Isn't Telling Them". www.vice.com. 4 December 2020. Retrieved 2021-01-25.
  16. ^ "Animal Jam was hacked, and data stolen; here's what parents need to know". TechCrunch. 16 November 2020. Retrieved 2021-01-25.
  17. ^ "Animal Jam kids' virtual world hit by data breach, impacts 46M accounts". BleepingComputer. Retrieved 2021-01-25.
  18. ^ "ShinyHunters hacker leaks 5.22GB worth of Mashable.com database". 5 November 2020. Retrieved 27 May 2023.
  19. ^ Service, Tribune News. "Hacker leaks 1.9 million user records of photo editing app Pixlr". Tribuneindia News Service. Retrieved 2021-01-25.
  20. ^ "Hacker leaks full database of 77 million Nitro PDF user records". BleepingComputer. Retrieved 2021-01-25.
  21. ^ "Bonobos clothing store suffers a data breach, hacker leaks 70GB database". BleepingComputer. Retrieved 2021-01-25.
  22. ^ "Bonobos clothing store suffers a data breach, hacker leaks 70GB database". RestorePrivacy. 11 January 2022. Retrieved 2022-01-11.
  23. ^ "All Santander staff and millions of customers have data hacked". www.bbc.com. Retrieved 2024-07-22.
  24. ^ Zetter, Kim. "Hackers Detail How They Allegedly Stole Ticketmaster Data From Snowflake". Wired. ISSN 1059-1028. Retrieved 2024-07-22.
  25. ^ Zetter, Kim. "AT&T Paid a Hacker $370,000 to Delete Stolen Phone Records". Wired. ISSN 1059-1028. Retrieved 2024-08-04.
  26. ^ May 2020, Jitendra Soni 11 (11 May 2020). "ShinyHunters leak millions of user details". TechRadar. Retrieved 2021-01-25.{{cite web}}: CS1 maint: numeric names: authors list (link)
  27. ^ July 2020, Nicholas Fearn 29 (29 July 2020). "386 million user records stolen in data breaches — and they're being given away for free". Tom's Guide. Retrieved 2021-01-25.{{cite web}}: CS1 maint: numeric names: authors list (link)
  28. ^ ""Shiny Hunters" Hacker Group Keep 73 Mn User Records on Darknet". CISO MAG | Cyber Security Magazine. 2020-05-11. Retrieved 2021-01-25.
  29. ^ "Amazon, Swiggy's payment processor hit by data breach". The Times of India. Retrieved 2021-01-05.
  30. ^ a b c d e f g h i j Cimpanu, Catalin. "A hacker group is selling more than 73 million user records on the dark web". ZDNet.
  31. ^ "ShinyHunters Offers Stolen Data on Dark Web". Dark Reading. 28 July 2020. Retrieved 2021-01-25.
  32. ^ a b c d e f g "ShinyHunters Offers Stolen Data on Dark Web". Dark Reading. 28 July 2020.
  33. ^ a b c d e f g h i "ShinyHunters leaked over 386 million user records from 18 companies". Security Affairs. July 28, 2020.
  34. ^ "Promo.com data breach impacts 23 million content creators". The Daily Swig | Cybersecurity news and views. July 28, 2020.
  35. ^ Taylor, Charlie. "Irish start-up Glofox investigates possible data breach". The Irish Times. Retrieved 2021-01-25.
  36. ^ Defense, Binary. "Shiny Hunters Group Selling Data Stolen From 11 Different Companies". Retrieved 27 May 2023.
  37. ^ "Shiny Hunters hackers try to sell a host of user records from breaches". MalwareTips Community.
  38. ^ "ShinyHunters dump partial database of broker firm Upstox". hackread.com. 12 April 2021.
  39. ^ "Who are Shiny Hunters?". AndroidRookies. May 21, 2020.
  40. ^ @UnderTheBreach (May 13, 2020). "Twitter post" (Tweet) – via Twitter. [dead link]
  41. ^ "Minted confirms data breach as Shiny Hunters sell its database". 29 May 2020.
  42. ^ "Wishbone App Maker Mammoth Media Hit with Class Action Over Data Breach Affecting 40 Million Users". www.classaction.org. 4 June 2020.
  43. ^ "Animal Jam kids' virtual world hit by data breach, impacts 46M accounts". BleepingComputer.
  44. ^ "BIGBASKET, INDIA'S LEADING ONLINE SUPERMARKET SHOPPING, ALLEGEDLY BREACHED. PERSONAL DETAILS OF OVER 20 MILLION PEOPLE SOLD IN DARKWEB | Cyble". cybleinc.com. 7 November 2020.
  45. ^ "Security incident at Dave". A Banking Blog for Humans. July 25, 2020.
  46. ^ "FAQs on the Recent Wattpad Security Incident". Help Center.
  47. ^ "Sébastien Raoult, Français incarcéré au Maroc, menacé d'extradition aux Etats-Unis où il risque une lourde peine". lemonde.fr (in French). August 3, 2022.
  48. ^ "Cybercriminalité: Détenu aux Etats-Unis, le Français Sébastien Raoult espère toujours un "retour en France"". 31 May 2023.
  49. ^ a b c d Jones, Connor (2024-01-10). "ShinyHunters chief phisherman gets 3 years, must cough up $5M". The Register. Retrieved 2024-01-12.