Data breaches have become an all too common threat in recent years, exposing personal information through attacks on companies and institutions. Some of these assaults are the result of sophisticated nation-state espionage operations, while others are fueled by online criminals hoping to sell the stolen data. Over the first two weeks of May, a hacking group called ShinyHunters has been on a rampage, hawking what it claims is close to 200 million stolen records from at least 13 companies.
Such binges aren't unprecedented in the dark web stolen data economy, but they're a crucial driver of identity theft and fraud. Without new breaches, user details that are already in circulation—like account login credentials, names, addresses, phone numbers, and credit card data—simply get repackaged again and again and passed around criminal forums at lower cost. Fresh data is like gold. But while ShinyHunters came on strong in early May, dropping trove after trove of freshly stolen data, the group now seems to have gone quiet.
"What’s interesting about this is how this group appeared out of nowhere and had all this new data for sale," says Vinny Troia, CEO of the IT security firm Night Lion Security who has been tracking ShinyHunters. "I always find that as an immediate flag. Nobody just drops into the scene with all this stuff. So that's why I don't believe Shiny is a new player to this market."
On May 1, ShinyHunters emerged with a sample of 15 million customer data records stolen from the Indonesian ecommerce site Tokopedia. Two days later the hackers started selling what it claimed was the full trove of 91 million Tokopedia user accounts on the popular dark web marketplace Empire. On the same day, the group also began selling a trove of almost 22 million user accounts grabbed from the Indian education platform Unacademy. Both companies have confirmed the breaches, though Unacademy says the number of affected users is 11 million.
The two data dumps contained passwords, but they are hashed and difficult to crack. The troves also contain information like usernames, email addresses, full names, account creation date, last login, plus phone numbers, and dates of birth in the case of Tokopedia.
ShinyHunters then claimed on May 6 to have stolen over 500 GB of Microsoft source code from the company's private GitHub account. The group circulated one gigabyte of the data that appeared legitimate, but researchers later concluded that the materials were largely sample projects and code snippets that were intended for publication anyway. "We’re aware of these claims and are investigating," Microsoft told WIRED in a statement. "Should we identify any directly impacted customers, we will contact them via established channels."
After generating buzz from these early disclosures, ShinyHunters went on a tear over the following week, stating that it had data from 10 more sites, including dating app Zoosk, meal kit company Home Chef, design-focused marketplace Minted, Minnesota's Star Tribune newspaper, health and wellness site Mindful, photo printing service Chatbooks, and the web publication Chronicle of Higher Education. Not all of the companies have acknowledged ShinyHunters' claims, but more and more have gone public over the last two weeks with confirmations.
On Wednesday, Home Chef said in a statement, "We recently learned of a data security incident impacting select customer information. Based on the information known to date, the following information was impacted in the incident: Email address, name, and phone number. Encrypted passwords. The last four digits of credit card numbers. Other account information such as frequency of deliveries and mailing address may also have been compromised."
Chatbooks put out a similar statement last week. "We found that the breach occurred on March 26, 2020, and that the stolen information appears to consist primarily of Chatbooks login credentials, including names, email addresses, and individually salted and hashed passwords," the company said. "Additionally, for a small portion of the affected records, some phone numbers, FacebookIDs, and inactive social media access and merchant tokens were also stolen. No payment or credit card information was compromised in any way."
An entity claiming to be a member of ShinyHunters said in an instant message conversation with WIRED that it is "not too hard" to breach so many organizations. "It's just a way to make money, but if companies are afraid and want their database taken off the market, they can contact me for an agreement, it has been done recently and both sides were satisfied," the group said.
Night Lion's Troia and other researchers said they haven't seen evidence in dark web forums that ShinyHunters has actually brokered any such deals, but it's possible. Those transactions are often done quietly, similar to the silence around victims paying ransomware actors.
Zack Allen, director of threat intelligence at the security firm ZeroFox, says that ShinyHunters' strategy of building hype on different forums and ginning up press attention is an increasingly common approach for such data thieves. For example, ShinyHunters dubbed the early May disclosures "Stage 1" and indicated that more was to come. The public relations push and staggered release are reminiscent of methods used by the incredibly prolific data dumpers known as GnosticPlayers, who started selling almost a billion stolen records from numerous companies in a short period of time last year. ShinyHunters also promoted its stolen data using a few personas on open, highly trafficked platforms like Raid Forums in addition to more elite dark web marketplaces like Empire.
"It definitely does not happen every day that a new actor like this shows up," ZeroFox's Allen says. "But I think a lot of cybercrime is going to start going public even more just because it’s really good hype."
Allen points out, though, that based on visible cryptocurrency payments it doesn't look like ShinyHunters has so far been wildly successful at selling its data, amassing tens of thousands of dollars, but nothing like the hundreds of thousands other groups have made. And he says that the pricing schemes for the troves seem amateurish, with some data overvalued and some undervalued.
Night Lion's Troia says the person or people behind ShinyHunters are displaying much of the same behavior he observed in tracking other dark web data brokers, particularly GnosticPlayers. But he suggests that this recent data may not have been as appealing to potential buyers since so many of the troves contain strongly hashed passwords.
The ShinyHunters entity WIRED messaged with said last week that it is inspired by GnosticPlayers, but denied any connection. The persona said ShinyHunters doesn't fear getting caught even though it is aware that other data brokers have been arrested. But as its hacking spree has seemingly stalled, the ShinyHunters entity has become more subdued in conversation. To a question on Tuesday about whether the "Second Stage" will be released soon the actor simply replied, "No." But when asked if the trove will drop eventually the group had an equally straightforward reply: "Yes."
Though most of the confirmed ShinyHunters breaches don't reveal plaintext passwords, many of the affected companies are still advising that users change their password just in case. It's always a worthwhile step to take if you have an account with one of the victim organizations and want to be cautious. And it's easy to do if you have a password manager set up. If not, get on that! Given that ShinyHunters stole data that can be used to help a hacker impersonate you—like names, home addresses, phone numbers, and dates of birth—and that some of the breaches included the last four digits of credit card numbers, you should also keep an eye on your financial statements if you have an account with any of the impacted companies.
The ShinyHunters data itself doesn't offer scammers a direct path to easy fraud, but it still builds out the universe of possible options for criminals. And whether it's ShinyHunters or another actor doing the dumping, there always seems to be someone who's motivated to steal data for the selling.