Addi
March 25, 2026
•[ fintech, data breach, extortion ]
In March 2026, the Colombian fintech company Addi identified unauthorised activity on its platform and advised customers that "it is possible that your personal information may have been compromised". The "pay or leak" extortion group ShinyHunters subsequently claimed responsibility and published a large trove of personal data allegedly obtained from Addi. The data included 34M unique email addresses from credit scoring requests, credit bureau records, customer identity records and email validation logs. It also contained government issued IDs (Cdula de Ciudadana), estimated income, socioeconomic levels, purchases and other credit-related data points.
Aura
March 18, 2026
•[ voice phishing, vishing, data leak ]
BleepingComputer reported Aura confirmed an incident where an unauthorized party gained access to nearly 900,000 records containing names and email addresses. Aura said the incident was caused by voice phishing targeting an employee and that the exposed data originated from a marketing tool used by a company acquired in 2021. Aura stated the event exposed information for 20,000 current and 15,000 former customers within the larger marketing dataset and that compromised customer information includes full names, email addresses, home addresses, and phone numbers, while emphasizing SSNs, account passwords, and financial information were not compromised. ShinyHunters claimed responsibility and said it stole 12GB of files and leaked them.
Telus Digital
March 12, 2026
•[ Data breach, Credential theft, Cloud security ]
Telus Digital confirmed a security incident after ShinyHunters claimed it stole nearly 1 petabyte of data in a multi-month breach. Reporting stated ShinyHunters said it gained initial access using Google Cloud Platform credentials found in data stolen in the Salesloft/Drift breach, and that Telus was not negotiating. At publication, Telus Digital had not been added to the actors leak site in the cited report, and specific data categories and affected individuals were not publicly enumerated in the DataBreaches summary.
Woflow
March 4, 2026
•[ data breach, extortion, PII ]
In March 2026, the AI-driven merchant data platform Woflow was named as a victim by the ShinyHunters data extortion group. The group subsequently published tens of thousands of files allegedly obtained from the company, comprising more than 2TB of data. The trove included hundreds of thousands of email addresses, names, phone numbers and physical addresses, with the data indicating it related to Woflow customers and, in turn, the customers of merchants using their platform.
Ameriprise
March 2, 2026
•[ extortion, data leak, ShinyHunters ]
In March 2026, the financial services firm Ameriprise Financial was named by the ShinyHunters group in a "pay or leak" extortion campaign. The group claimed possession of more than 200GB of compressed data exfiltrated from Ameriprise's Salesforce environment and internal SharePoint infrastructure, and subsequently published the data after negotiations allegedly failed. The published data contained 500k unique email addresses as well as names, phone numbers, physical addresses and employer information. In their disclosure to state attorneys general, Ameriprise reported 47,876 affected people; the larger email address population represents contacts from Ameriprise's broader operational systems, including internal staff. Ameriprise further advised that they have "implemented heightened monitoring of your account(s) to include enhanced identity verification procedures".
Mercer Advisors
February 16, 2026
•[ cybersecurity breach, ransomware, data leak ]
Wealth Management reported a class action lawsuit alleging Mercer Advisors suffered a cybersecurity breach around Feb. 16, 2026 carried out by ShinyHunters. The complaint said ShinyHunters demanded ransom within 48 hours and threatened to leak roughly 5.7 million client records; after Mercer refused to pay, the group published the stolen information. The article states the leaked data includes names, Social Security numbers, and other personal information, raising risks of identity theft, fraud, and highly targeted phishing/social engineering. The report also mentions ShinyHunters targeting other wealth firms, but the primary record is the Mercer breach and alleged publication of client data.
CarGurus
February 14, 2026
•[ data breach, extortion, data leak ]
In February 2026, the automotive marketplace CarGurus was the target of a data breach attributed to the threat actor ShinyHunters. Following an attempted extortion, the data was published publicly and contained more than 12M email addresses across multiple files including user account ID mappings, finance pre-qualification application data and dealer account and subscription information. Impacted data also included names, phone numbers, physical and IP addresses, and auto finance application outcomes.
CarGurus
February 13, 2026
•[ data breach, social engineering, vishing ]
TechRadar reported that ShinyHunters claimed to have breached CarGurus and stolen about 1.7 million corporate records, threatening to release the data by a stated deadline. The report linked the claim to a broader wave of social-engineering vishing attacks used to obtain employee credentials/MFA codes and then access SSO dashboards (Okta/Entra/Google) and downstream applications. At the time of reporting in the article, CarGurus had not publicly confirmed the breach details, the precise intrusion window, or exactly what categories of data were taken beyond the actors claim, so this record reflects an alleged data-theft event pending independent confirmation.
Odido
February 12, 2026
•[ data breach, extortion, data leak ]
In February 2026, Dutch telco Odido was the victim of a data breach and subsequent extortion attempt. Shortly after, 1M records containing 317k unique email addresses were published, followed by further releases exposing an additional 371k and then 833k unique email addresses, with the latter also including passport, drivers licence and European national ID numbers. The exposed data includes names, physical addresses, phone numbers, bank account numbers and customer service notes. Odido has published a disclosure notice advising that impacted data may also include dates of birth and government-issued identity document numbers.
Figure
February 12, 2026
•[ social engineering, data leak, extortion ]
Figure Technology Solutions confirmed it suffered a data breach after an employee fell victim to a social engineering attack, with attackers obtaining a limited number of files. SecurityWeek reported that the ShinyHunters group took credit and posted archive files on its leak site; Have I Been Pwned analysis identified roughly 967,000 user records in the leaked data. The exposed information includes names, dates of birth, email addresses, postal addresses, and phone numbers. The reporting frames the incident as data theft/extortion without describing service disruption to Figures lending operations.
Optimizely
February 11, 2026
•[ voice-phishing, social engineering, data leak ]
Attackers associated with the ShinyHunters cybercriminal group used a voice-phishing social engineering attack to gain access to Optimizelys internal systems and CRM environment. Approximately 10,000 client organizations were affected, with exposed data including business contact information such as names, email addresses, and phone numbers.
Match Group Inc. (Tinder, Hinge, OkCupid)
January 29, 2026
•[ data leak, cybercrime, ShinyHunters ]
A cybercrime group calling itself ShinyHunters claimed responsibility for accessing and leaking limited user and internal data from Match Group platforms. Match Group confirmed a security incident but stated that passwords, financial information, and private messages were not compromised.
Edmunds
January 24, 2026
•[ data breach, ShinyHunters, PII ]
In January 2026, the automotive research and car-shopping platform Edmunds was listed by the ShinyHunters hacking group as having been breached. Data purportedly obtained in the incident was later published publicly and included 178k unique email addresses, usernames, passwords, IP addresses, phone numbers and vehicle-related records.
Waltio
January 24, 2026
•[ data leak, extortion, cryptocurrency ]
French crypto tax platform Waltio reported being targeted by the ShinyHunters group, which claimed to possess personal data for nearly 50,000 users and threatened to leak users 2024 tax reports unless a ransom was paid. Waltio stated that its services and production systems remained secure and that no sensitive banking credentials or crypto access data was compromised. The incident primarily involves alleged data theft and extortion threats rather than service disruption, with the full scope of stolen fields not detailed in the summary.
Crunchbase
January 23, 2026
•[ vishing, social engineering, credential theft ]
Reporting on an Okta SSO vishing (voice-phishing) campaign, ShinyHunters reportedly confirmed to a researcher that it conducted the campaign and launched a new dark web leak site. According to the report, ShinyHunters claimed that multiple victims had their data posted after refusing extortion demands, naming Crunchbase, SoundCloud, and Betterment as initial examples. The incident reflects social-engineering-driven credential theft leading to unauthorized access and data theft, followed by extortion and publication of alleged victim data.
University of Pennsylvania
October 30, 2025
•[ data breach, ransomware, donor records ]
In October 2025, the University of Pennsylvania was the victim of a data breach followed by a ransom demand, largely affecting its donor database. After the incident, the attackers sent inflammatory emails to some victims. The data was later published online in February 2026 and included 624k unique email addresses alongside names and physical addresses. For some donor records, additional personal information was exposed, including gender and date of birth. A small subset of records also contained religion, spouse name, estimated income and donation history.
National Credit Information Center (CIC), State Bank of Vietnam
September 10, 2025
•[ hack, leak, financial ]
VNCERT confirmed signs of intrusion targeting personal-data theft at CIC; ShinyHunters/Scattered Spider claimed ~160M records, allegedly exploiting end-of-life software; data offered for sale with samples posted.
Wynn Resorts
September 1, 2025
•[ data leak, employee personnel records, Social Security numbers ]
Attackers associated with the ShinyHunters cybercriminal group gained unauthorized access to Wynn Resorts systems in September 2025. The intrusion exposed approximately 800,000 employee personnel records containing Social Security numbers and other personal identifying information.
Pornhub
August 11, 2025
•[ extortion, phishing, data leak ]
Cybercriminal group ShinyHunters claimed theft of a 94GB dataset containing about 201 million records tied to Pornhub Premium user activity and launched an extortion campaign demanding payment in Bitcoin. Reporting linked the compromise to third-party analytics provider Mixpanel, where access allegedly began on November 8, 2025 after a smishing attack harvested employee login credentials. Samples reviewed by journalists reportedly included email addresses, approximate location (city/country), video titles and URLs, search keywords, and timestamps for watches/downloads. Pornhub stated its internal systems were not directly hacked and that sensitive items such as passwords and credit card details remained secure, while Mixpanel later suggested some access may have involved a legitimate employee account associated with Pornhubs parent company, Aylo.
Canada Goose
August 1, 2025
•[ data leak, third-party breach, customer records ]
BleepingComputer reported that Canada Goose was investigating after ShinyHunters leaked more than 600,000 customer records. Canada Goose said it had not found evidence its own systems were breached and believed the data related to past customer transactions. ShinyHunters told BleepingComputer the dataset was unrelated to recent SSO attacks and claimed it originated from a third-party payment processor breach and dates back to August 2025. The exposed data was described as including purchase history plus device/browser information and order values; it did not appear to include full payment card numbers.