< ciso
brief />
Tag Banner

All news with #shinyhunters tag

76 articles · page 4 of 4

Checkout.com Refuses Ransom After ShinyHunters Breach

🔒 Checkout.com confirmed that the criminal group ShinyHunters accessed a legacy third-party cloud file storage system used in 2020 and earlier and is attempting to extort the company. The exposed materials reportedly include merchant onboarding documents and internal operational files, and Checkout estimates the data affects less than 25% of its current merchant base while also touching former customers. Rather than paying, the firm said it will donate the ransom amount to Carnegie Mellon University and the University of Oxford Cyber Security Center and invest in strengthening its security.
read more →

Scattered Spider, LAPSUS$, and ShinyHunters: SLH Collective

🕸 The nascent Scattered LAPSUS$ Hunters (SLH) collective — a merging of Scattered Spider, LAPSUS$, and ShinyHunters — has repeatedly recreated its Telegram presence, cycling channels at least 16 times since August 8, 2025. The group markets an extortion-as-a-service offering to affiliates, targets organizations including those using Salesforce, and has teased a custom ransomware family called Sh1nySp1d3r. Trustwave SpiderLabs assesses SLH as blending financially motivated crime with attention-seeking hacktivism and sophisticated brand management.
read more →

Scattered LAPSUS$ Hunters Unite ShinyHunters Alliance

🔎 Trustwave SpiderLabs has identified a coordinated alliance now operating as Scattered LAPSUS$ Hunters (SLH), merging reputational capital from Scattered Spider, ShinyHunters and LAPSUS$. The collective presents a unified operational brand, complete with a named "Operations Centre," centralized narrative and affiliate-driven extortion model. Analysis attributes fewer than five core operators managing roughly 30 personas and highlights Telegram as a persistent command-and-branding hub. Trustwave warns this consolidation aims to fill the vacuum left by the collapse of BreachForums and to sustain public, intimidation-based extortion tactics.
read more →

Oracle Quietly Patches E-Business Suite Zero-Day Exploit

⚠️ Oracle has quietly released an out-of-band update addressing CVE-2025-61884 in Oracle E-Business Suite, a pre-authentication SSRF exploited by a publicly leaked proof-of-concept published by the ShinyHunters extortion group. Oracle's advisory warns the flaw can expose sensitive resources but did not disclose active exploitation or the public exploit release, prompting follow-up from researchers. Independent testers confirm the new update now blocks the SSRF component that previously bypassed earlier patches.
read more →

FBI Seizes BreachForums Portal Used in Salesforce Extortion

🔒 The FBI, in coordination with French authorities, seized BreachForums domains used by the ShinyHunters group as a portal for leaking corporate data and facilitating extortion. Nameservers were updated on October 9 and law enforcement reports they obtained backups and backend servers dating back to 2023, though the actors' dark‑web leak site remains online. ShinyHunters confirmed the takeover via a PGP‑signed Telegram post and warned the Salesforce campaign will continue.
read more →

ShinyHunters Launch Extortion Site Targeting Corporates

🔓 A cybercrime collective known as ShinyHunters has launched a public extortion blog threatening to publish data stolen from dozens of major companies if ransoms are not paid. The group claims to have harvested Salesforce customer records via a May voice-phishing campaign, and also says it exfiltrated terabytes of files from a Red Hat GitLab server and Discord user data tied to a third-party provider. Security firms and affected vendors including Salesforce, Red Hat and Discord are investigating, while Google and other investigators link the activity to several related UNC clusters and warn of additional token thefts tied to Salesloft. Victim shaming, published exploit scripts for an Oracle E-Business Suite zero-day, and malware-laced threats have amplified the incident’s severity.
read more →

ShinyHunters Joins Extortion Effort After Red Hat Breach

🔐 Red Hat is facing renewed extortion after a breach of its GitLab instance used by Red Hat Consulting was claimed to have exposed nearly 570GB of compressed data across thousands of repositories, including about 800 Customer Engagement Reports (CERs). The Crimson Collective initially claimed the theft and says it received no ransom response. The group announced a collaboration with Scattered Lapsus$ Hunters and has used the newly launched ShinyHunters leak site to press extortion demands, publishing CER samples and setting an October 10 deadline. Red Hat did not respond to inquiries.
read more →

Allianz Life July Data Breach Affects Nearly 1.5 Million

🔐Allianz Life has completed its investigation into a July cyberattack and says 1,497,036 people were impacted. A malicious actor accessed a third-party cloud-based CRM on July 16, 2025, and obtained names, addresses, dates of birth, and Social Security numbers. While some reporting linked the intrusion to a Salesforce-targeted wave attributed to ShinyHunters, Allianz Life has not confirmed that attribution. Notified individuals are offered two years of free identity monitoring from Kroll and guidance to enable credit monitoring or consider freezing credit.
read more →

Stellantis Confirms Third-Party Cybersecurity Breach

🔒 Stellantis has confirmed unauthorized access to a third‑party service provider platform that supports its North American customer service operations. The group said affected customer information was potentially exposed but limited to contact details and did not include stored financial or other sensitive data. Stellantis activated incident response protocols, notified authorities and began informing impacted customers while warning them to expect phishing attempts. Security researchers and outlets linked the incident to claims by ShinyHunters and a recent series of Salesforce-related data breaches.
read more →

Stellantis: Customer Contact Data Stolen in Salesforce Hack

🔒 Stellantis confirmed unauthorized access to a third-party platform supporting its North American customer service operations, and said attackers stole customer contact information. The company stated the compromised system did not contain financial or other sensitive personal data and that it activated incident response procedures and notified authorities. Reports link the incident to a broader wave of Salesforce-related intrusions claimed by ShinyHunters, and customers are being urged to watch for phishing attempts.
read more →

ShinyHunters Claims 1.5B Salesforce Records Stolen via Drift

🔒 The ShinyHunters extortion group claims they stole approximately 1.5 billion Salesforce records from 760 companies by abusing compromised Salesloft Drift and Drift Email OAuth tokens exposed in a Salesloft GitHub breach. The attackers reportedly accessed Account, Contact, Case, Opportunity, and User tables and searched exfiltrated data for secrets to pivot further. Google/Mandiant and the FBI are tracking the activity as UNC6040/UNC6395, and Salesforce urges customers to enable MFA, enforce least privilege, and manage connected apps carefully.
read more →

Fifteen Ransomware Groups Announce Retirement Plans

🔒 Fifteen prominent ransomware groups, including Scattered Spider, ShinyHunters and Lapsus$, posted a collective statement on BreachForums announcing they are ceasing operations and entering a period of “silence.” The announcement framed their activity as exposing systemic vulnerabilities rather than pure extortion and said some members intend to retire on accumulated funds while others will continue studying systems quietly. Analysts and threat intelligence experts cautioned this could be a temporary PR move, noting past groups have rebranded or spawned successors rather than vanishing permanently.
read more →

ShinyHunters Breach Hits Gucci, McQueen and Balenciaga

🔒 Luxury fashion groups Gucci, Alexander McQueen and Balenciaga have had customer data exposed in an attack linked to the ShinyHunters group. A sample of files shared with the BBC reportedly included thousands of genuine customer records and spending details, and the group claims data on 7.4 million email addresses. Kering confirmed temporary unauthorized access in June but said no financial information or government identifiers were involved. Security experts warn the data could fuel follow-on fraud, especially if sold on criminal forums.
read more →

Kering Confirms Customer Data Theft at Gucci and Balenciaga

🔒 Kering has confirmed that an unauthorised third party accessed limited customer data from several of its luxury brands, including Gucci, Balenciaga, and Alexander McQueen. The exposed information may include names, dates of birth, phone numbers, email addresses, and store purchase histories, while payment card and financial data do not appear to have been compromised. Reports link the incident to the ShinyHunters group and to earlier 2024 breaches and alleged Salesforce CRM access; chat logs indicated ransom discussions, and police later arrested suspects tied to underground leak site BreachForums. Customers have been notified and should be vigilant for phishing, SMS scams, and suspicious calls.
read more →

Scattered Spider Claims Responsibility for JLR Cyber Attack

🔐 Jaguar Land Rover (JLR) is investigating claims by an English‑speaking cybercrime syndicate calling itself “Scattered Lapsus$ Hunters,” which says it accessed JLR systems and is attempting to extort the company. The group shared unverified screenshots on Telegram that allegedly show internal logs and troubleshooting notes. JLR confirmed a cyber incident on September 2 that disrupted sales and production after the company proactively shut down systems; analysts warn that alleged collaboration with ShinyHunters and Lapsus$ could amplify the threat.
read more →

Workiva Discloses Data Theft Linked to Salesforce Breach

🔒 Workiva notified customers that attackers who accessed a third-party CRM exfiltrated a limited set of business contact data, including names, email addresses, phone numbers, and support ticket content. The company said the Workiva platform and any data within it were not accessed or compromised. Workiva warned customers to remain vigilant for spear‑phishing and reiterated it will not request passwords by text or phone. BleepingComputer reported the incident is tied to recent Salesforce breaches attributed to the ShinyHunters group.
read more →