Cyber Incident Victim: Jukin Media
Date:
Nov 2021
Location:
United States of America
Summary
Jukin Media experienced a security breach where attackers exfiltrated sensitive data including databases, Jenkins configurations, invoice agreements, Redis snapshots, VPN configurations, and application source code. The company initially attributed a mandatory password reset to a "security upgrade," but evidence emerged of a significant compromise involving over 110,000 user records, with data leaked on a forum after the threat actor ShinyHunters was detected and blocked. The incident highlighted discrepancies between the organization's public communications and the confirmed breach, as the company failed to disclose the attack despite requiring credential resets and facing operational disruptions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On November 4, 2021, Jukin Media publicly instructed users to reset passwords, attributing the action to a “security upgrade.” The timing and lack of prior notice prompted external scrutiny, with attempts to contact the company via Twitter direct messages receiving no response. Concurrent technical disruptions prevented access to Jukin’s website, generating 504 errors and temporary unavailability messages, including failures when submitting press inquiries. Later that day, a forum thread emerged advertising the sale of Jukin Media’s data for a nominal fee, confirming a breach. The listing explicitly referenced multiple compromised systems and data repositories, including MySQL and PostgreSQL databases, Jenkins automation servers, Redis snapshots, VPN configurations, and application source code. A users table containing over 110,000 records was identified among the exfiltrated assets.
The attacker claimed to have extracted significant portions of data after Jukin Media detected and blocked intrusion attempts linked to the ShinyHunters threat group. This timeline contradicted the company’s initial “security upgrade” explanation, as defensive actions indicated prior awareness of malicious activity. Exfiltrated records included sensitive operational details such as invoice agreements, site configurations, and internal system snapshots. Jukin Media did not issue further public statements acknowledging the breach or clarifying the discrepancy between its password reset justification and the confirmed attack. The absence of transparency regarding the confirmed intrusion and data exposure left users uninformed about risks to their personal information.