Cyber Incident Victim: ShinyHunters Collective
Date:
May 2020
Location:
Indonesia
Summary
The Shiny Hunters hacker group leaked and sold stolen data from multiple companies, including databases containing over 73 million user records across 11 organizations. Victims included an Indonesian online store, an Indian e-learning platform, Microsoft's private GitHub repositories, a meal delivery service, a photo printing platform, and a news outlet, with compromised data encompassing emails, hashed passwords, social media tokens, IP addresses, and personally identifiable information such as partial social security numbers. The group advertised these databases on dark web markets, pricing them between $1,500 and $3,500, with cybersecurity firms assessing the breaches as legitimate. The hackers indicated plans to release additional stolen datasets, demonstrating a pattern of targeting high-profile entities to monetize sensitive user information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In May 2020, the hacker group Shiny Hunters initiated a widespread data breach campaign targeting multiple companies, subsequently flooding dark web marketplaces with stolen user databases. The activity began with the sale of a Tokopedia database containing over 90 million user records, followed by 22 million records from Indian online learning platform Unacademy. After BleepingComputer contacted Unacademy about the breach, the company confirmed the incident publicly. Shiny Hunters then claimed responsibility for breaching Microsoft’s GitHub account earlier that year, leaking files from private source code repositories. While Microsoft did not officially acknowledge the breach, sources familiar with the matter verified the authenticity of the leaked repositories, which were accessible only to Microsoft employees. Initial pricing for these three databases ranged between $1,500 and $2,500, though ChatBooks’ data saw an increase to $3,500 after initial listing. By May 8, Shiny Hunters expanded their offerings to include data from meal kit service HomeChef (8 million records), photo service ChatBooks (15 million records), and Chronicle.com (3 million records), bringing the total to 26 million additional accounts across these three entities.
The group’s activities escalated further as cyber intelligence firm Cyble reported Shiny Hunters had listed data from 11 companies by May 9, totaling 73.2 million compromised user records. Samples reviewed by BleepingComputer indicated legitimacy, though full verification remained pending. HomeChef’s database, priced at $2,500, included emails, bcrypt-hashed passwords, IP addresses, phone numbers, zip codes, and partial Social Security numbers. ChatBooks’ $2,000 listing contained SHA-512 hashed passwords, social media access tokens, and personally identifiable information (PII), while Chronicle.com’s $1,500 dataset lacked public details. ZeroFox analysts confirmed with high confidence that the breaches were authentic, noting the hackers’ stated intent to release additional databases. Despite the volume of data offered, none of the three newer listings had buyers at the time of reporting, leading researchers to anticipate price reductions or redistribution across other markets. ChatBooks began notifying affected users following media reports, while other targeted companies, including HomeChef and Chronicle.com, had not issued public statements or responded to inquiries. The incident underscored risks to credential reuse, prompting security advisories for users to update passwords across impacted services.