Cyber Incident Victim: ShinyHunters
Date:
May 2020
Location:
Indonesia
Summary
A hacker group known as Shiny Hunters compromised 11 companies, exfiltrating and selling approximately 73.2 million user records on dark web marketplaces. Among the affected entities were a major Indonesian e-commerce platform, a prominent Indian online learning service, and Microsoft's GitHub account, with stolen data including private source code repositories. Initial sale prices for the databases ranged from $1,500 to $3,500, with some victim organizations confirming breaches after being alerted, while others remained unresponsive. Analysis of leaked samples indicated the data appeared legitimate, though full verification was pending at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2020, the hacker group ShinyHunters initiated a series of data breaches targeting multiple companies, culminating in the sale of 73.2 million user records across 11 organizations on a dark web marketplace. The activity began with the sale of a database containing over 90 million user records from Tokopedia, Indonesia’s largest online store, followed by 22 million records from Unacademy, a major Indian online learning platform. Unacademy confirmed the breach after being contacted by media. ShinyHunters then claimed to have compromised Microsoft’s GitHub account earlier that year, leaking files from private source code repositories accessible only to Microsoft employees; while Microsoft did not publicly acknowledge the breach, independent sources verified the authenticity of the leaked data. Initial pricing for these databases ranged from $1,500 to $2,500, though some listings, like ChatBooks’ data, later increased to $3,500. By May 9, cybersecurity firm Cyble reported ShinyHunters had expanded operations to flood the market with additional breached datasets, bringing the total affected companies to 11. Samples of the data reviewed by journalists appeared legitimate, though full verification remained pending at the time of reporting.
The cumulative impact involved the exposure of sensitive user information across diverse sectors, including e-commerce, education, and technology. ChatBooks began notifying users of their breach following media coverage, though most other affected companies had not issued public statements or responded to inquiries. BleepingComputer attempted to contact all implicated organizations but received no replies prior to publication. The rapid succession of breaches and aggressive dark web sales strategy indicated a coordinated effort to monetize stolen data at scale, with ShinyHunters leveraging access to high-profile targets to establish credibility in underground markets. No technical details regarding breach methods, internal detection timelines, or containment measures were disclosed by the affected entities beyond Unacademy’s breach acknowledgment and ChatBooks’ notifications. The incident highlighted risks associated with centralized dark web marketplaces facilitating bulk data trafficking, though law enforcement or platform-level responses to the listings were not detailed in available reports.