Cyber Incident Victim: Ggumim

In May 2020, a hacking group identified as Shiny Hunters initiated a coordinated campaign to sell stolen user databases on a dark web marketplace, targeting eleven companies and exposing approximately 73.2 million user records. The activity began with the sale of a database containing over 90 million user accounts from Tokopedia, Indonesia’s largest online marketplace, followed shortly by the release of 22 million user records from Unacademy, a major Indian online learning platform. Unacademy confirmed the breach after being contacted by media, acknowledging unauthorized access to their systems. The group then claimed responsibility for compromising Microsoft’s GitHub account earlier that year, leaking files from private source code repositories accessible only to Microsoft employees. While Microsoft did not formally confirm the GitHub breach, internal sources verified the authenticity of the leaked repositories. Shiny Hunters expanded their operations by flooding the marketplace with additional databases, including one from ChatBooks, which increased its initial listing price from an unspecified amount to $3,500. The pricing for other datasets ranged between $1,500 and $2,500, with fluctuations observed over time. Cybersecurity firm Cyble alerted media outlets about the surge in listings, noting the group’s strategy to saturate the market with newly acquired data. BleepingComputer reviewed samples of the breached data and found them credible, though full verification remained pending. Attempts to contact the affected companies yielded no responses at the time of reporting.

The incident impacted millions of users across multiple industries, with stolen data including account credentials, personal information, and proprietary corporate materials. Tokopedia’s breach represented the largest single exposure, while Unacademy’s compromised data prompted immediate user notifications. ChatBooks initiated breach notifications to its users following media coverage, though other affected organizations had not publicly addressed the claims. The leak of Microsoft’s private repositories raised concerns about potential intellectual property theft and downstream security risks. Combined, the eleven datasets created widespread credential-stuffing risks, as users often reused passwords across multiple services. The rapid succession of listings suggested Shiny Hunters possessed pre-acquired data, releasing it strategically to maximize visibility and profit. No ransomware or extortion demands were mentioned in connection with the breaches, distinguishing this incident from financially motivated attacks leveraging encryption. The dark web marketplace served as the primary distribution channel, with pricing dynamics indicating fluctuating demand among buyers. Cybersecurity analysts emphasized the operational sophistication of the group but did not attribute the activity to a specific nation-state or ideology. At the time of reporting, the full scope of data misuse remained unconfirmed, and most companies had not disclosed remediation efforts or forensic findings.