ShinyHunters is a black-hat criminal hacker group that is believed to have formed in 2020 and is said to have been involved in numerous data breaches. The stolen information is often sold on the dark web.[1][2]
Name and alias
The name of the group is believed to be derived from shiny Pokémon, a mechanic in the Pokémon video game franchise where Pokémon have a rare chance of being encountered in an alternate, "shiny" color scheme, with such Pokémon considered elusive to players.[3] The avatar of a Twitter profile tied to the group contains a picture of a shiny Pokémon.[3]
Notable data breaches
AT&T Wireless: In 2021, ShinyHunters began selling information on 70 million AT&T wireless subscribers, which contained user's phone numbers, personal information and social security numbers. AT&T acknowledges the databreach in 2024.[4][5][6]
Tokopedia: On 2 May 2020 Tokopedia was breached by ShinyHunters, which claimed to have data for 91 million user accounts, revealing users' gender, location, username, full name, email address, phone number, and hashed passwords.[1]
Wishbone: Also in May 2020, ShinyHunters leaked the full user database of Wishbone, which is said to contain personal information such as usernames, emails, phone numbers, city/state/country of residence, and hashed passwords.[7]
Microsoft: In May 2020, ShinyHunters also claimed to have stolen over 500 GB of Microsoft source code from the company's private GitHub account. The group published around 1GB of data from the hacked GitHub account to a hacking forum. Some cybersecurity experts doubted the claims until analyzing the code; upon analysis, ShinyHunters' claims were no longer in question. Microsoft told Wired in a statement that they are aware of the breach. Microsoft later secured their GitHub account, which was confirmed by ShinyHunters as they reported being unable to access any repositories.[8][9][10]
Wattpad: In July 2020, ShinyHunters gained access to the Wattpad database containing 270 million user records. Information leaked included usernames, real names, hashed passwords, email addresses, geographic location, gender, and date of birth.[11][12][13]
Pluto TV: In November 2020, it was reported that ShinyHunters gained access to the personal data of 3.2 million Pluto TV users. The hacked data included users' display names, email addresses, IP addresses, hashed passwords and dates of birth.[14][15]
Animal Jam: It was also reported in November 2020 that ShinyHunters was behind the hack of Animal Jam, leading to the exposure of 46 million accounts.[16][17]
Mashable: In November 2020, ShinyHunters leaked 5.22GB worth of the Mashable database on a prominent hacker forum.[18]
Pixlr: In January 2021, ShinyHunters leaked 1.9 million user records from Pixlr.[19]
Nitro PDF: In January 2021, a hacker claiming to be a part of ShinyHunters leaked the full database of Nitro PDF — which contains 77 million user records — on a hacker forum for free.[20]
Bonobos: Also in January 2021 it was reported that ShinyHunters leaked the full Bonobos backup cloud database to a hacker forum. The database is said to contain the address, phone numbers, and order details for 7 million customers; general account information for another 1.8 million registered customers; and 3.5 million partial credit card records and hashed passwords.[21]
Aditya Birla Fashion and Retail: In December 2021, Indian retailer Aditya Birla Fashion and Retail were breached and ransomed. The ransom demand was allegedly rejected and data containing 5.4M unique email addresses were subsequently dumped publicly on a popular hacking forum the next month. The data contained extensive personal customer information including names, phone numbers, physical addresses, DoBs, order histories and passwords stored as MD5 hashes[22]
Mathway: In January 2020, ShinyHunters breached Mathway, stealing roughly 25 million users data. Mathway is a popular math app for students that helps solve algebraic equations.
Santander: On 30 May 2024 Santander was breached by ShinyHunters, which resulted in all Santander staff and '30 million' customers in Spain, Chile and Uruguay hacked.[23]
Ticketmaster: Hackers working with ShinyHunters have claimed responsibility for breaching Ticketmaster.[24]
AT&T Wireless: In April of 2024, hackers affiliated with ShinyHunters hacked AT&T Wireless and stole data on over 110 million customers. In May, AT&T paid a $370,000 ransom to one of the group's members to delete the data.[25]
Other data breaches
The following are other hacks that have been credited to or allegedly done by ShinyHunters. The estimated impacts of user records affected are also given.[26][27][28]
ShinyHunters group is under investigation by the FBI, the Indonesian police, and the Indian police for the Tokopedia breach. Tokopedia's CEO and founder also confirmed this claim via a statement on Twitter.[39][40]
Minted company reported the group's hack to US federal law enforcement authorities; the investigation is underway.[41]
Administrative documents from California reveal how ShinyHunters' hack has led to Mammoth Media, the creator of the app Wishbone, getting hit with a class-action lawsuit.[42]
Animal Jam stated that they are preparing to report ShinyHunters to the FBI Cyber Task Force and notify all affected emails. They have also created a 'Data Breach Alert' on their site to answer questions related to the breach.[43]
BigBasket filed a First Information Report (FIR) on November 6, 2020, to the Bengaluru Police to investigate the incident.[44]
Dave also initiated an investigation against the group for the company's security breach. The investigation is ongoing and the company is coordinating with local law enforcement and the FBI.[45]
Wattpad stated that they reported the incident to law enforcement and engaged third-party security experts to assist them in an investigation.[46]
Arrests
In May 2022, Sébastien Raoult, a French programmer suspected of belonging to the group, was arrested in Morocco and extradited to the United States. He faced 20 to 116 years in prison.[47][48]
In January 2024 Raoult was sentenced to three years in prison and ordered to return five million dollars.[49] Twelve months of the sentence are for conspiracy to commit wire fraud and the remainder for aggravated identity theft.[49] He will face 36 months of supervised release afterwards.[49] Raoult had worked for the group for more than two years according to the US Attorney's Office for the Western District of Washington.[49]