University of Nottingham
June 9, 2026
•[ cyber attack, extortion, data leak ]
In June 2026, the University of Nottingham was the target of a cyber attack, later linked to a ShinyHunters "pay or leak" extortion campaign. Tens of gigabytes of data were subsequently published online and included 455k unique email addresses along with extensive personal information including names, addresses, phone numbers, ethnicities, disabilities, passport numbers and information relating to academic enrolments and fee payments. In a post about the incident, the university advised that the breach affected both "current students, and alumni".
BCD Travel
May 29, 2026
•[ extortion, data leak, data theft ]
In May 2026, the corporate travel management company BCD Travel was claimed as a victim of the ShinyHunters "pay or leak" extortion campaign. Data allegedly obtained from BCD was subsequently published publicly in early June and contained 396k unique email addresses. Other exposed data included names, addresses, phone numbers, job titles and employer names, spanning a variety of different data sets including leads, internal staff and support tickets.
Charter
May 23, 2026
•[ extortion, data leak, ShinyHunters ]
In May 2026, the telecommunications company Charter Communications (the parent company behind the consumer broadband and cable brand Spectrum) was named by the ShinyHunters group in a "pay or leak" extortion campaign. The group later published the data, which exposed 4.9M unique email addresses along with names, phone numbers and physical addresses. A subset of approximately 85k records originating from an internal employee directory also included job titles. Charter confirmed the incident, but stated that no sensitive personal information or customer proprietary network information (CPNI) was exfiltrated.
Baker Distributing
May 23, 2026
•[ data extortion, data leak, ShinyHunters ]
In May 2026, the HVAC/R wholesale distributor Baker Distributing Company was added to the ShinyHunters data extortion group's "pay or leak" site. In early June, the group publicly published data they claimed had been obtained from Baker's SharePoint and Salesforce infrastructure including 103k unique email addresses along with names, physical addresses, phone numbers and tickets relating to the company's HVAC contractor customer base. The exposed data was largely corporate contact and support information with limited sensitivity.
Cushman & Wakefield
May 5, 2026
•[ vishing, extortion, data leak ]
In May 2026, the real estate services firm Cushman & Wakefield was the target of a "pay or leak" extortion campaign by the ShinyHunters group. Following the threat, the group publicly published data they alleged had been obtained from the firm, consisting mostly of C&W email addresses along with tens of thousands of external email addresses and corporate contact records. The exposed data was primarily business information, including names, job titles, company addresses and phone numbers.
Udemy
April 24, 2026
•[ data leak, extortion, cybercrime ]
In April 2026, online training company Udemy was the victim of a pay or leak extortion attempt perpetrated by the ShinyHunters group. The data was subsequently leaked publicly and contained 1.4M unique email addresses belonging to customers and instructors. The data also included names, physical addresses, phone numbers, employer information and instructor payout methods including PayPal, cheque and bank transfer.
Udemy, Inc.
April 24, 2026
•[ data leak, extortion, ShinyHunters ]
ShinyHunters listed Udemy in a pay-or-leak extortion attempt on April 24, 2026 and subsequently leaked data containing 1.4 million unique email addresses belonging to customers and instructors, along with names, physical addresses, phone numbers, employer information, and instructor payout methods. Public reporting did not confirm encryption, deletion, or operational disruption.
Canada Life
April 20, 2026
•[ extortion, data leak, phishing ]
In April 2026, Canada Life was the victim of a "pay or leak" extortion campaign by the ShinyHunters group. The group subsequently published the data which contained over 200k unique email addresses along with names, phone numbers, physical addresses and, in some cases, customer support tickets. In their disclosure notice, Canada Life advised that "it is a small proportion of our customers who may have been impacted". In the wake of the incident, Canada Life also published an alert cautioning customers to be wary of phishing attacks, a pattern often seen after the public release of breached data.
Aman
April 20, 2026
•[ extortion, data leak, CRM breach ]
In April 2026, the ultra-luxury hotel brand Aman was named by ShinyHunters as the target of a "pay or leak" extortion campaign, with the data allegedly obtained from their Salesforce CRM. The data was subsequently leaked publicly and contained over 200k unique email addresses. Whilst not present on all records, the data also included genders, physical addresses, phone numbers, nationalities, dates of birth, spouse names and VIP status codes.
ADT
April 20, 2026
•[ data breach, extortion, data leak ]
In April 2026, home security firm ADT confirmed a data breach by ShinyHunters, which listed the company on its website as part of a "pay or leak" extortion attempt. The breach impacted 5.5M unique email addresses along with names, phone numbers and physical addresses. ADT also advised that "in a small percentage of cases, dates of birth and the last four digits of Social Security numbers or Tax IDs were included" and that it had contacted all affected people.
Pitney Bowes
April 20, 2026
•[ extortion, data leak, hacking collective ]
In April 2026, the hacking collective ShinyHunters claimed to have obtained data from Pitney Bowes as part of a broader extortion campaign that also named several other organisations. After negotiations allegedly failed, the group publicly released the data which included 8.2M unique email addresses, along with names, phone numbers and physical addresses. A subset of the data also included Pitney Bowes employee records with job titles.
Aman Resorts
April 18, 2026
•[ extortion, data leak, PII ]
ShinyHunters named Aman Resorts in an April 2026 pay-or-leak extortion campaign and claimed compromise of over 500,000 Salesforce CRM records containing PII. DataBreach indexed 294,871 rows, while Have I Been Pwned reported over 200,000 unique email addresses and said the leaked data also included names, phone numbers, physical addresses, dates of birth, nationalities, spouse names, and VIP status codes. Public sources did not confirm encryption, data destruction, or operational disruption.
Abrigo
April 14, 2026
•[ extortion, data leak, fintech ]
In April 2026, the fintech software company Abrigo was targeted in a "pay or leak" extortion attempt by the ShinyHunters group. Shortly after, data allegedly taken from the company's Salesforce instance was published publicly and contained over 700k unique email addresses belonging to both Abrigo staff and external contacts. Whilst separate from Abrigo's Salesforce compromise via the Drift application connector the previous year, the data fields described in that incident are consistent with the ShinyHunters data, namely that it was "business contact information" including "institution name, employee name, email addresses, and phone numbers".
Mytheresa
April 12, 2026
•[ extortion, data leak, ShinyHunters ]
In April 2026, the luxury fashion e-commerce platform Mytheresa was listed as a victim of the ShinyHunters "pay or leak" extortion group. After the ransom deadline passed, the group publicly released the data which contained 84k unique email addresses. The exposed data also included names, phone numbers, physical addresses, purchases and partial credit card data including card type, last 4 digits and expiry date.
Rockstar Games
April 11, 2026
•[ data breach, third-party breach, SaaS breach ]
ShinyHunters claimed it stole nearly 80 million business records from Rockstar Games through a third-party SaaS/Snowflake-related breach; Rockstar said only a limited amount of non-material company information was accessed and that there was no impact on operations or players.
7-Eleven
April 8, 2026
•[ unauthorized access, data leak, ransom ]
7-Eleven discovered on April 8, 2026 that an unauthorized third party accessed systems used to store franchisee documents. ShinyHunters claimed responsibility, claimed theft of more than 600,000 Salesforce records, and leaked a 9.4 GB archive after ransom demands were not met; Have I Been Pwned identified 185,300 exposed individuals in the leaked data.
7-Eleven
April 8, 2026
•[ extortion, data leak, ShinyHunters ]
In April 2026, 7-Eleven was the victim of a "pay or leak" extortion campaign by ShinyHunters, with the data later published that month. The incident exposed 185k unique email addresses, along with names, physical addresses, dates of birth and phone numbers. A small number of records also contained additional exposed data fields. The company later advised the breach was limited to "certain 7-Eleven systems used to store franchisee documents", a statement consistent with the exposed data.
Amtrak
April 3, 2026
•[ data leak, ransomware, ShinyHunters ]
In April 2026, the hacking group ShinyHunters claimed they had breached Amtrak. The group typically compromises organisations' Salesforce instances before demanding a ransom and later, if not paid, dumping the data publicly. The exposed data contained over 2M unique email addresses along with names, physical addresses and customer support records.
Hallmark
March 31, 2026
•[ data leak, extortion, support tickets ]
In March 2026, Hallmark suffered an alleged breach and subsequent extortion after attackers gained access to data stored within Salesforce. The data was later published after the extortion deadline passed, exposing 1.7M unique email addresses across both Hallmark and the Hallmark+ streaming service, along with names, phone numbers, physical addresses and support tickets.
ZenBusiness
March 27, 2026
•[ data breach, extortion, ransomware ]
In March 2026, the hacker and extortion group "ShinyHunters" claimed to have obtained a substantial corpus of data from ZenBusiness, a business formation and compliance platform. The group claimed the data had been exfiltrated from platforms including Snowflake, Mixpanel and Salesforce, and threatened to publish it if a ransom was not paid. The following month, after claiming payment had not been made, ShinyHunters publicly released the data. The collection amounted to many terabytes across thousands of files that appeared to originate from multiple systems and business functions, including leads, support records and other CRM-related data. The data contained approximately 5M unique email addresses, often accompanied by name and phone number depending on the source file.