ShadowByt3s Claims Starbucks S3 Breach Exposed Source Code and Beverage Firmware
Threat actor ShadowByt3s, using the alias BlackVortex1, claimed to have breached Starbucks by accessing a misconfigured Amazon S3 bucket allegedly named sbux-assets and exfiltrating about 10 GB of proprietary data. The actor said the haul includes source code, internal web-based management and inventory tools, developer backup files, authentication logic, internal service URLs, and firmware tied to store equipment including Mastrena II espresso machines, FreshBlends smoothie stations, beverage dispensers, and Siren System and Blue Sparq controllers.
The stolen material was advertised on dark web forums with claims that proof had been shared through Mega.nz and Telegram, and the actor set an April 5 extortion deadline, threatening to publish the dataset if Starbucks does not pay. Reporting said the exposure could create supply-chain and operational technology risks because the alleged leak includes control logic and firmware for beverage equipment, while threat intelligence monitoring channels including VECERT flagged the claim; the incident also follows a separate Starbucks disclosure in March involving a phishing campaign that compromised 889 Partner Central employee accounts.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
ShadowByt3s sets April 5 extortion deadline for Starbucks
After advertising the alleged stolen data, ShadowByt3s threatened to publicly release the dataset unless Starbucks paid by 2026-04-05. The actor also claimed to have shared proof via Mega.nz and Telegram while promoting insider recruitment tied to the campaign.
Threat intelligence channels flag the alleged Starbucks leak
Also on 2026-04-01, cybersecurity monitoring platforms including VECERT reportedly flagged the alleged Starbucks data leak on threat intelligence channels. This marked broader external awareness of the actor's breach claim.
ShadowByt3s claims Starbucks S3 bucket breach and data theft
On 2026-04-01, threat actor ShadowByt3s, using the persona BlackVortex1, claimed to have breached Starbucks via a misconfigured Amazon S3 bucket named "sbux-assets." The actor alleged exfiltration of about 10 GB of proprietary data, including source code, beverage machine firmware, internal management tools, inventory systems, and operational technology assets.
Phishing campaign compromises 889 Starbucks employee accounts
In March 2026, a separate Starbucks incident was disclosed involving a credential-harvesting phishing campaign that compromised 889 Partner Central employee accounts. This predates the later alleged cloud-bucket breach claim.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Starbucks Breach - Attacks Allegedly Claim 10GB of Stolen Source Code
cybersecuritynews.com
Open sourceShadowByt3s Claims Starbucks Breach With 10GB of Proprietary Source Code, Beverage Machine Firmware, and Global Management Tools From Compromised S3 Bucket
darkwebinformer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Starbucks Employee Data Breach via Phishing of Partner Central Accounts
**Starbucks** disclosed a data breach affecting employee *Partner Central* accounts after attackers used phishing sites impersonating the company’s login portal to steal valid credentials and access internal HR-related records. The company said it became aware of the intrusion on or about February 6, 2026, and a subsequent investigation found unauthorized access to **889 employee accounts** between January 19 and February 11. The compromised data included employees’ full names, **Social Security numbers**, dates of birth, and bank account and routing information, creating elevated risk of identity theft and financial fraud. Starbucks said it engaged external cybersecurity experts, notified law enforcement, and implemented additional security measures around Partner Central access following the incident. Affected employees were advised to monitor financial accounts for suspicious activity, and the company is offering **24 months of Experian IdentityWorks** identity protection and credit monitoring. Reporting that focuses on the same incident consistently attributes the breach to credential theft through fake Partner Central websites, while separate coverage of **Loblaw** concerns a different retail-sector intrusion and is not part of the Starbucks event.
Mar 21, 2026
ShadowByt3s Claims Ellucian PowerCampus Breach Exposed Indian School Records
ShadowByt3s claimed it breached the Ellucian PowerCampus education platform by exploiting misconfigured Amazon S3 buckets and Azure Blob storage operated by Indian managed service provider Neoskool, exposing data tied to more than eight schools in Manipur and Meghalaya. The leaked information reportedly includes student and staff photos, Aadhaar numbers, plaintext passwords, medical alerts, marksheets, fee records, certificates, class schedules, and daily database exports, affecting children from Nursery through Class 12 as well as school personnel. The actor said it is extorting Ellucian PowerCampus rather than the individual schools and has posted sample data on both clearnet and Tor leak sites. Reports also cite AWS canary evidence indicating write and delete access to cloud storage, raising the risk of destructive tampering in addition to data theft, while the group has simultaneously advertised for insiders with a **30/70 revenue split** as part of its broader **"Campaign Operation Cloud."**
Apr 17, 2026
ShinyHunters Claims Data Theft from Panera Bread via Microsoft Entra SSO Code
The extortion group **ShinyHunters** claimed it stole customer data from **Panera Bread**, alleging exfiltration of **14+ million records** containing PII such as names, email and home addresses, phone numbers, and account details. Reporting indicates the attackers said Panera access was obtained using a compromised **Microsoft Entra single sign-on (SSO) code**, aligning with broader industry warnings about criminals stealing SSO tokens/codes via **voice-phishing** campaigns. Neither Panera nor Microsoft publicly confirmed details in the cited coverage, and Panera/other victims did not immediately respond to media inquiries. ShinyHunters also asserted it holds data from **CarMax** (500,000+ records) and **Edmunds** (millions of records), but described those as stemming from **earlier, unrelated intrusions**; CarMax has previously been linked in reporting to a **Salesforce environment** compromise attributed to a ShinyHunters-associated group (**Scattered Lapsus$ Hunters**). Separate reporting about an **860GB Target source code leak** describes a different incident (likely initiated by an infostealer on an employee workstation) and is not part of the ShinyHunters/Panera SSO-code intrusion claims.
Mar 21, 2026