Cyber Incident Victim: Styleshare
Date:
May 2020
Location:
Indonesia
Summary
The hacking group Shiny Hunters compromised user records from multiple companies and began selling them on the dark web. This included databases from Tokopedia, Unacademy, Microsoft's GitHub account, HomeChef, ChatBooks, and Chronicle.com. The group initially offered the databases for prices ranging from $1,500 to $2,500, flooding the market with new data breaches and compromising a total of 73.2 million user records. The incident compromised data confidentiality and integrity.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The incident involving the Shiny Hunters hacker group unfolded over a concentrated period in early May 2020, beginning with the group's advertisement of a massive 91 million user record database allegedly stolen from Tokopedia, Indonesia's largest online marketplace. This initial breach announcement marked the start of an aggressive data dumping campaign across dark web marketplaces. Within days, the group expanded operations by offering 22 million user records from Unacademy, a major Indian online learning platform, prompting the company to confirm a breach after BleepingComputer's inquiry. The attackers escalated their activities on May 6 by claiming unauthorized access to Microsoft's GitHub account, leaking files from private repositories that multiple sources confirmed contained legitimate Microsoft proprietary code accessible only to employees, though Microsoft did not issue an official breach acknowledgment.
Between May 7-8, cybersecurity firms ZeroFox and Cyble observed Shiny Hunters dramatically increasing their dark web listings, adding databases from at least nine additional organizations. Confirmed victims included meal delivery service HomeChef, photo printing platform ChatBooks, and higher education news site Chronicle.com, with these three breaches alone exposing approximately 26 million user accounts. The attackers priced these databases between $1,500-$3,500 initially, though they dynamically adjusted pricing based on demand and negotiation activity. By May 8, the cumulative count of compromised organizations reached 11, with the total volume of exposed user records across all breaches estimated at 73.2 million. Security analysts who reviewed samples of the leaked data reported strong indications of legitimacy, though full forensic validation remained pending at the time of reporting. Several affected companies, including ChatBooks, initiated user notifications and password reset procedures upon learning of the breaches through media reports, while others had not yet responded to inquiries from journalists or cybersecurity researchers. The incident's primary confirmed impacts included widespread credential exposure across multiple industries, potential supply chain risks through the Microsoft repository leak, and operational disruptions as victim organizations scrambled to investigate claims. No ransomware deployment, destruction of systems, or financial fraud attempts were documented in available reports, with the attackers' observable activities focused exclusively on data exfiltration and dark web monetization.