Cyber Incident Victim: Storybird
Date:
Nov 2020
Location:
Canada
Summary
Storybird's data was compromised and publicly dumped by the threat actor ShinyHunters as part of a broader series of breaches affecting multiple organizations. The incident emerged amid forum disputes involving alleged fraudulent sales of stolen databases, where a disgruntled buyer retaliated by releasing datasets—including Storybird's—on a Russian-language platform before the accounts involved were deactivated. The breach exposed user information, though it remains unclear whether the company was previously aware of the intrusion.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On or around November 12, 2020, the threat actor group ShinyHunters conducted a series of unauthorized data disclosures involving multiple organizations, including Storybird. This activity occurred alongside public disputes within cybercriminal forums regarding the sale and distribution of stolen databases. ShinyHunters dumped databases from numerous entities such as Animal Jam, eatigo, Peatix, Redmart, Pluto.tv, Storybird, and Homechef, though specific details regarding the breach methods or exact timing for Storybird were not disclosed in available reports. The incident gained broader attention when a forum user alleged financial deception by ShinyHunters and a data broker known as "ExpertData," claiming they violated an exclusivity agreement after receiving payment exceeding tens of thousands of dollars. Instead of addressing the complaint, the forum administrators banned the aggrieved user, who subsequently retaliated by leaking multiple databases on a Russian-language cybercrime forum. These retaliatory leaks included data from Eatigo, Eskimi, Geniusu, Glofox, JoinPiggy, Peatix, Pluto, Nitrogo, and Redmart, though Storybird's data was not explicitly listed in this secondary dump. The retaliatory leaks were short-lived, with the shared databases being deleted shortly after posting and the user's forum account deactivated within 24 hours of the incident.
The breach exposed Storybird's database alongside those of other organizations, though the specific nature of compromised data (such as user records, financial information, or system details) was not publicly delineated in source material. Available evidence suggests affected organizations, including Storybird, might not have been initially aware of the breaches, as indicated by speculation that journalists would need to contact them for responses. No verified statements from Storybird regarding incident acknowledgment, containment measures, forensic investigations, or user notifications were documented in the source material. The broader incident highlighted operational conflicts within cybercriminal ecosystems, where financial disputes among threat actors led to retaliatory data dissemination. Consequences for Storybird likely included potential reputational damage, regulatory scrutiny, and risks to user privacy, though specific impacts remained unquantified in public reporting. The rapid deletion of leaked databases from the Russian forum might have limited immediate exposure, but the initial ShinyHunters dump represented a persistent data compromise.