Skip to main content
Emerging ThreatsData Breaches

ShinyHunters Fuel Surge in Data Leaks

Cloud storage workstation with blank laptop screen and keyboard, symbolizing a data breach.

"Courtesy of the ShinyHunters, there's been just a very large amount of data on a very regular cadence published into the public domain," said Troy Hunt, founder and CEO of Have I Been Pwned.

ShinyHunters and The Com's extortion model

The wave of public data leaks tracked by Have I Been Pwned (HIBP) is being driven in large part by a group known as ShinyHunters, which the source links to "the Western adolescent cybercrime collective known as The Com." Members of that collective, Hunt said, specialize in phone-based social engineering: they call victims, trick them into providing access to cloud systems — "oftentimes including Salesforce and other cloud-based storage instances" — then hold the harvested data for ransom and regularly leak it if victims refuse to pay.

Salesforce instances, cloud dumps, and voice social engineering

Hunt emphasized the operational pattern: these attackers gain interactive access (often via social-engineering phone calls) rather than exploiting a single software vulnerability in a vendor like Salesforce. That changes the character of the data incidents. The stolen material frequently comes from cloud platforms and can be large — Hunt said some incidents are "multiple terabytes of data" — and include unexpected free-text fields such as support tickets. In at least one recent Salesforce-related leak, Hunt noted the dataset included "some support tickets, and the support tickets related to health claims."

Have I Been Pwned's AI-assisted triage

Have I Been Pwned ingests "stolen data that gets publicly leaked or obtained by law enforcement, and directly notifies any subscribers when it finds their email address in the corpus of breached data." The volume and cadence of public dumps from ShinyHunters have forced HIBP to change how it processes incidents. Hunt said his organization is using artificial intelligence to analyze large leaks — which "might fill more than a terabyte of data" — to identify what personal information might have been exposed and to speed the process of deciding what to load and notify.

Real-world impact: individuals often minor, organizations hit hardest

Hunt drew a clear distinction between the typical individual impact and the organizational consequences. For many victims, the exposed data is "relatively unsensitive" — email addresses or home addresses that are "so discoverable" that any single breach may be negligible. But sensitivity can vary by context: where an email's association to a service such as the adult dating platform Ashley Madison is disclosed, or where free-text fields surface health-related details, the consequences can be more serious.

By contrast, Hunt argued that the "worst time" is for the organizations that are breached: they face extortion, class-action lawsuits and intense public scrutiny. He described a recurring pattern in which organizations assert they have "done everything we could" — a claim Hunt called fallacious when it relies on measures that have little practical effect, such as seeking injunctions that do not prevent the data from already circulating. He described real-world friction: Tickettek, a Snowflake customer, obtained an injunction that complicated HIBP's handling of already-published data; Qantas faced similar legal entanglements "last year." Hunt also observed that paying a ransom may reduce immediate distribution in some cases but provides no guarantee the data was fully removed or won't leak again.

What this means for the AFP, Dutch prevention programs, and enterprise security teams

  • AFP and other law enforcement: Hunt said prevention efforts exist — citing the Australian Federal Police and initiatives in the Netherlands where agencies have sent warnings to forum users and even conducted physical visits to parents — but he warned those teams are "massively under-resourced." Resource competition with other policing priorities constrains prevention programs.
  • European prevention units (the Dutch): Hunt noted concrete prevention tactics, including emails to forum participants and outreach, and described physical interventions in homes when appropriate — actions that can surprise parents and sometimes stop offending behavior early.
  • Enterprise security teams and defenders: The shift in TTPs toward phone-based account takeover and large cloud-data dumps means defenders must treat human processes (help-desk and third-party access controls) as first-class security controls. HIBP's use of AI to triage terabyte-scale leaks underscores that defenders will increasingly rely on automated analysis to identify exposed fields and prioritize notification.

Hunt framed the current spike as a generational and economic problem as much as a technical one: many of the actors are young, sometimes neurodiverse, and motivated by quick financial reward. He warned that normalization — seeing dozens of dumps, some removed after negotiation and others published repeatedly — could draw more young people into criminal collectives.

For now the facts are straightforward: ShinyHunters and related groups are publishing large quantities of stolen cloud data on a steady cadence; Have I Been Pwned is ingesting and using AI to triage what is often terabytes of material; individuals' direct harms are frequently limited but not negligible; and organizations are facing the hardest, most immediate consequences in court, reputation and extortion. The question Hunt leaves in the open is operational and political: will law enforcement resourcing and preventative programs scale quickly enough to blunt a phenomenon that, by his account, is already a "melting point" of youth, opportunity and available stolen data.

Source: Wave of ShinyHunters Extortion Drives Surge in Data Leaks — Information Security Media Group