Over the past year, ShinyHunters has become one of the most recognised threat actors among the hacking community, by carrying out sophisticated cyberattacks on over 40 online services across the world, and by selling the stolen information for profit. 

ShinyHunters first appeared on the scene at the beginning of May 2020, and in just two weeks the hacking group offered for sale on the dark web over 200 million user records stolen from a number of companies. The stolen data included 91 million user records from the Indonesian e-commerce site Tokopedia, and 22 million user records from the online Indian education platform Unacademy. ShinyHunters also claimed to have breached Microsoft’s private GitHub repositories, and obtained 500 MG of source code. Over the following weeks, the hacking group proceeded to release additional leaked databases, as part of what it dubbed Stage 1. The affected companies included the dating app Zoosk (30 million affected users), the meal kit company HomeChef (8 million), the wellness site Mindful (2 million), the photo printing service Chatbooks (15 million), and the design-focused marketplace Minted (5 million). The compromised databases, containing data ranging from contact information, addresses, date of birth, passwords and financial information, were offered for sale on hacking forums for $500 - $3,500.  

Around July 2020, in what is considered to be Stage 2 of ShinyHunter’s hacking spree, the databases of 25 companies, comprising over 386,400,530 user records, were leaked on dark web forums. Among the most high-profile affected companies were the social storytelling platform Wattpad (270 million users affected), the interior design website Havenly (1.3 million users affected), and the digital banking service Dave (7 million users affected). The databases of all 25 breached companies were offered for download free of charge.  

It did not take long for ShinyHunters to strike again and reappear on the hacking scene. In November 2020, the hacking group compromised the database of the Indian online grocery store BigBasket, resulting in the information of over 20 million customers being sold on the dark web for $40,000. In November, ShinyHunters was also responsible for leaking 46 million user records from the popular kids game AnimalJam, and 3.2 million user records from the American internet television service PlutoTv. 

Since the beginning of 2021, ShinyHunters has been involved in several data breaches. Among the affected services are the online photo editing application Pixlr (19 million affected users), the software for digital documents NitroPDF (77 million), and the dating platform MeetMindful (2.28 million). The three databases were all leaked on hacking forums for free. In 2021, the hacking group appears to have targeted in particular Indian companies, as in January alone it leaked the databases of  the global cryptocurrency and wallet BuyUCoin, the payment processing service Juspay, the wedding platform WedMeGood, the e-marketplace ClickIndia, and the fintech startup Chqbook, all of which are based in India.  

Up to this moment, ShinyHunters’ real identity remains unknown. It is also unclear whether it involves one threat actor, or multiple hackers working together. Cybersecurity researchers believe that ShinyHunters might have ties to GnosticPlayers, a well-known hacking group, which is said to have leaked over a billion user records. According to researchers, the push and staggered release of data dumps displayed by ShinyHunters shares similarities with the strategy used by GnosticPlayers, who incidentally disappeared from the hacking scene shortly before ShinyHunters rose to prominence. The latter however denied these claims, stating that they are inspired by GnosticPlayers, but share no connection to them.  

In an online chat with the cybersecurity researcher Rajshekhar Rajaharia, a persona claiming to be a member of ShinyHunters, criticised companies for their poor cyber hygiene, and for their use of poor encryption methods when storing users’ data. As stated by the hacking group, many companies save their data in plaintext, or encrypt it by using old algorithms that have already been compromised, and that therefore no longer guarantee security, like the MD5 algorithm. The hacker also added that companies should take responsibility when a breach occurs, referring to companies that failed to inform users of the data breaches suffered. Among these is the Indian payment processing service Juspay, which became aware of the data breach shortly after it occurred in August 2020, but did not disclose it to its users until January 2021, after a cybersecurity expert made this information public. Similarly, PlutoTv did not promptly inform its users of the data breach suffered, as according to the company the compromised information was limited, and passwords were hashed. Other companies, in public statements, have denied  the occurrence of a data breach altogether. 

Researchers believe that ShinyHunters is in possession of additional databases from breaches that are not yet known to the public. This raises concerns that the hacking group will be involved in other leaks in the near future.  

Reference list:  

https://www.wired.com/story/shinyhunters-hacking-group-data-breach-spree/  

https://www.mcafee.com/blogs/consumer/consumer-threat-notices/shinyhunters-exposes-over-125-million-online-credentials/  

https://www.forbes.com/sites/daveywinder/2020/07/29/hacker-gives-away-386-million-stolen-records-on-dark-web-what-you-need-to-do-now-shinyhunters-data-breach/?sh=134d465d6f39  

https://www.bleepingcomputer.com/news/security/hacker-leaks-386-million-user-records-from-18-companies-for-free/  

https://www.zerofox.com/blog/shinyhunters-breach/  

https://www.bleepingcomputer.com/news/security/hacker-leaks-full-database-of-77-million-nitro-pdf-user-records/  

https://www.cpomagazine.com/cyber-security/hacking-group-shinyhunters-released-pixlrs-1-9-million-stolen-user-credentials-for-free-on-hacker-forum/  

https://www.cpomagazine.com/cyber-security/data-breach-of-online-kids-game-exposed-personal-data-of-46-million-parents-and-children/

https://www.cpomagazine.com/cyber-security/notorious-hacking-group-sells-more-than-73-million-of-stolen-user-records-on-the-dark-web/  

https://www.cpomagazine.com/cyber-security/third-party-data-breach-exposes-personal-information-of-7-5-million-users-of-dave-banking-app/  

https://www.itpro.co.uk/security/hacking/355606/shiny-hunters-list-732m-user-records-for-sale-on-the-dark-web  

https://www.riskbasedsecurity.com/2021/01/25/shinyhunters-wave-3-one-hacker-exposes-over-125-million-credentials/  

https://www.expresscomputer.in/news/own-up-if-your-data-is-hacked-shinyhunters-tells-indian-firms/72370/ 

https://www.bleepingcomputer.com/news/security/havenly-discloses-data-breach-after-13m-accounts-leaked-online/  

https://www.riskbasedsecurity.com/2020/07/23/personal-data-and-credentials-of-268-million-users-exposed-in-recent-wattpad-hack/  

https://cloudsek.com/threatintel/shinyhunters-offers-7-5m-dave-com-users-data-hackers-steal-github-gitlab-tokens-from-waydev-and-more/  

https://inc42.com/buzz/bigbasket-data-breach-done-by-shinyhunters-reveals-cyble/  

https://www.bankinfosecurity.com/hackers-try-to-sell-26-million-breached-records-report-a-14253  

https://cisomag.eccouncil.org/shinyhunters-strikes-again-data-of-2-28-mn-meetmindful-users-leaked/  

https://cisomag.eccouncil.org/shiny-hunters-selling-user-records/  

https://www.vice.com/en/article/88a8ma/pluto-tv-hacked-data-breach