ShinyHunters is a black-hat criminal hacker and extortion group believed to have formed in 2019. The group has built a strong reputation of “pay or leak”; they often extort the company they have hacked, and if the company does not pay the ransom, the stolen information is very often leaked or sold on the dark web.
๐ Group Origins and Name
The name of the group is believed to be derived from Shiny Pokรฉmon, an aspect of the Pokรฉmon video game franchise. Players who actively try to collect such Pokรฉmon through in-game strategies are often referred to as “shiny hunters”.
๐ป 2024 Snowflake-Related Breaches
In 2024, ShinyHunters claimed to have hacked Snowflake-related customers including Ticketmaster, Santander Bank, Neiman Marcus, and many others. The group was also responsible for publishing data stolen from Twilio and Truist Bank.
๐ 2026 Snowflake and Anodot Breach
In 2026, ShinyHunters executed another widespread data theft of Snowflake-related customers through the third-party integrator Anodot. Snowflake, Inc. confirmed the incident and is actively notifying potentially impacted customers. Subsequently, ShinyHunters is extorting “over a dozen” companies that were affected in return to not publish the data.
๐ 2025 Salesforce Campaign (UNC6040)
On June 4, 2025, ShinyHunters was tied to a widespread data-theft campaign targeting Salesforce cloud customers. The cybercriminal group working in conjunction with Scattered Spider and Lapsus$ impersonated IT support staff and used voice phishing (vishing) calls to trick employees into installing a malicious version of Salesforce’s Data Loader tool.
This sophisticated social engineering approach led to confirmed data breaches at major companies including Google, Cisco, Adidas, Qantas, Allianz Life, Farmers Insurance Group, Workday, Pandora, Chanel, TransUnion, and LVMH subsidiaries.
๐ 2025 Salesloft/Drift Campaign (UNC6395)
On August 28, 2025, another campaign tracked by Google Threat Intelligence as UNC6395 used OAuth/refresh tokens stolen from Salesloft’s Drift integration to access numerous Salesforce customer orgs. Google told reporters it was aware of over 700 potentially impacted organizations.
On September 17, 2025, BleepingComputer confirmed ShinyHunters was behind the UNC6395 campaign, the biggest SaaS compromise in history. Using stolen Drift OAuth tokens, the threat actors stole approximately 1.5 billion data records for 760 companies from Salesforce object tables.
๐ 2025 Gainsight Campaign
On November 20, 2025, another campaign tracked by Google Threat Intelligence Group as UNC6395-adjacent actors known as ShinyHunters used OAuth/refresh tokens stolen from Gainsight Salesforce integration. Salesforce publicly reported detecting unusual activity related to applications published by Gainsight that were connected to its platform.
The hacking group claimed responsibility for hacks affecting Atlassian, Docusign, F5, GitLab, Linkedin, Malwarebytes, SonicWall, Thomson Reuters, Verizon, and more.
โ๏ธ 2026 Salesforce Experience Cloud Exploitation
On March 7, 2026, Salesforce released a security advisory linking a “known threat group” to exploiting misconfigurations in their Salesforce Experience Cloud software. Two days later, on March 9, 2026, ShinyHunters claimed responsibility for these data theft hacks on their data leak site.
The hacking group claimed to have breached about 400 companies affecting Snowflake, Okta, Lastpass, Salesforce itself, Sony, AMD, and “a lot more”.
๐ 2025 Mixpanel Analytics Breach
In November 2025, the ShinyHunters cybercriminal group was linked to a third-party analytics breach at Mixpanel. It affected multiple high-profile companies including Pornhub and OpenAI. Both OpenAI and Pornhub confirmed that this breach was not a result of their own systems compromised but rather the third-party analytics breach at Mixpanel.
๐ญ 2026 SSO Social Engineering Campaigns
In January 2026, ShinyHunters was linked by multiple media and threat-intelligence firms to a series of social-engineering campaigns targeting enterprise single sign-on (SSO) environments, including Okta. The attacks relied on voice-phishing (“vishing”) and credential-harvesting infrastructure rather than exploitation of vulnerabilities in Okta’s software.
This ongoing, highly active data theft campaign has led to data breaches at major companies including University of Pennsylvania, Princeton University, Harvard University, Grubhub, Crunchbase, Tinder, Hinge, Bumble Inc, and Wynn Resorts.
โ๏ธ Law Enforcement and Legal Actions
ShinyHunters is under investigation by the FBI, the Indonesian police, and the Indian police for the Tokopedia breach. Minted reported the group’s hack to US federal law enforcement authorities; the investigation is underway.
Administrative documents from California reveal how ShinyHunters’ hack has led to Mammoth Media getting hit with a class-action lawsuit. Animal Jam stated that they are preparing to report ShinyHunters to the FBI Cyber Task Force.
| Year | Campaign/Target | Method | Impact |
|---|---|---|---|
| 2024 | Snowflake customers (Ticketmaster, Santander, Neiman Marcus) | Data breach | Multiple companies affected |
| 2025 | Salesforce (UNC6040) | Vishing, malicious Data Loader tool | Google, Cisco, Adidas, Qantas, and others |
| 2025 | Salesloft/Drift (UNC6395) | Stolen OAuth tokens | 1.5 billion records, 760 companies |
| 2025 | Gainsight Salesforce integration | Stolen OAuth tokens | 285 Salesforce instances |
| 2026 | Salesforce Experience Cloud | Misconfiguration exploitation | 400 companies including Snowflake, Okta, Sony |
| 2025 | Mixpanel analytics | Smishing compromise | Pornhub, OpenAI |
| 2026 | SSO environments (Okta) | Vishing, credential harvesting | 100+ organizations including universities and major companies |