ShinyHunters Publishes Stolen Data From Bumble, Match Group, and Dozens of Firms
ShinyHunters has published a broad trove of allegedly stolen data affecting more than 40 organizations across retail, healthcare, hospitality, insurance, and consumer services, with reporting tying the leak campaign to victims including Bumble, Match Group, Mytheresa, Zara, Carnival, and 7-Eleven. Researchers said the exposed material includes personally identifiable information, customer and transaction records, internal corporate files, and multi-terabyte datasets; one of the largest alleged exposures involved Medtronic, where roughly 9 million records were reportedly listed before that entry was later removed from the leak site.
The campaign reflects ShinyHunters' continued shift from ransomware-style encryption to data theft and extortion, with the group allegedly threatening to keep victim data available indefinitely on criminal platforms. Separate reports said the actors claimed to have stolen about 10 million records from dating-app companies, while researchers also linked leaked Bumble data to the same operation after an earlier claim that roughly 30GB had been taken from the company. The disclosures echo a wider criminal pattern in which stolen sensitive data is leaked to pressure victims after exfiltration, including in healthcare breaches such as the Change Healthcare incident.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
25 events from the most recent confirmed update back to the earliest known activity.
DentaQuest linked to ShinyHunters after alleged 233GB data drop
A Troy Hunt weekly update cited DentaQuest as an example in the ongoing ShinyHunters campaign, stating that an alleged 233GB dataset from the organization was dropped shortly after it was mentioned. This adds DentaQuest as a newly disclosed victim in the group's 2026 data-theft and extortion activity.
ShinyHunters claims theft of 14 million Panera Bread records
Daily Dark Web reported that ShinyHunters claimed to have stolen 14 million records from Panera Bread. This adds Panera Bread as a newly disclosed victim in the broader ShinyHunters data-theft and extortion campaign.
ShinyHunters threatens indefinite exposure of stolen victim data
By late April 2026, reporting described ShinyHunters as shifting from file encryption to pure data theft and extortion, with threats to keep victim data available indefinitely on underground platforms. The campaign was said to expose millions of records and terabytes of stolen information.
Medtronic listing is removed from the ShinyHunters leak site
Later reporting said Medtronic, initially highlighted as a major victim with about nine million allegedly compromised records, was subsequently removed from the leak site. The removal suggested a possible ransom payment or ongoing negotiation, though this was not confirmed.
Inditex acknowledges Zara-related breach tied to former technology provider
Inditex said unauthorized access affected group databases in an incident tied to a former technology provider after Zara was named in ShinyHunters leak threats. The company said passwords, payment cards, and other payment methods were not exposed.
Mytheresa data leaked after ShinyHunters ransom deadline expires
In April 2026, Mytheresa was identified as a victim of the ShinyHunters extortion group in a pay-or-leak incident. After the ransom deadline passed, the group publicly released stolen data reportedly including 84,000 unique email addresses, customer contact and purchase details, and partial payment card information.
ShinyHunters threatens Ameriprise Financial with 200GB data leak
Cybernews reported that ShinyHunters threatened Ameriprise Financial and claimed to hold about 200GB of stolen data. The report adds Ameriprise as a newly disclosed victim in the group’s 2026 data-theft and extortion campaign.
Aura confirms ShinyHunters breach affecting at least 900,000 people
Aura confirmed it was breached in an incident linked to ShinyHunters and said at least 900,000 individuals were impacted. The disclosure adds Aura as a newly identified victim in the group’s 2026 data-theft and extortion campaign.
Odido linked to ongoing ShinyHunters leak campaign
The Register reported that Dutch telecom provider Odido was affected as ShinyHunters leak activity continued, adding Odido as a newly disclosed victim in the broader 2026 publication wave. The report also indicated Dutch police were supporting the company in response to the incident.
ShinyHunters demands $1.5M over alleged Wynn Resorts data theft
The Register reported that ShinyHunters demanded $1.5 million from Wynn Resorts to prevent the leak of allegedly stolen data. The report adds Wynn Resorts as a newly disclosed victim in the group’s 2026 data-theft and extortion campaign.
Canada Goose says ShinyHunters leak came from older breach
Canada Goose said a Valentine's Day dataset attributed to ShinyHunters, reportedly containing more than 600,000 records, did not result from a new security incident at the company. The retailer said the leaked data appeared to stem from an older breach and that it was reviewing the dataset to verify its accuracy and scope.
ShinyHunters claims theft of 10 million dating-app records
The Register reported that ShinyHunters claimed it had stolen 10 million records from dating apps. This marked a public escalation in the group’s claims around consumer-platform data exposure.
Reports link Bumble data to ShinyHunters leak listings
Cybernews reported that Bumble-related data associated with the Hives group was found in ShinyHunters leak postings, warning that the company was among the exposed organizations. The reporting connected Bumble to the broader January 2026 publication wave.
ShinyHunters allegedly breaches Bumble and offers 30GB of data
A Daily Dark Web report said ShinyHunters allegedly breached Bumble Inc. and claimed to possess about 30GB of stolen data. This appears to be the earliest referenced event tied to the later Bumble-related reporting.
Additional victims are posted in the same ShinyHunters leak wave
Further leak-site postings continued during the same week after the first January 23 listing, expanding the scope of the campaign. Reported victims included major brands such as Mytheresa, Zara, Carnival, 7-Eleven, and Medtronic.
ShinyHunters begins publishing a new multi-victim data trove
According to later reporting, the earliest listing in a large ShinyHunters leak campaign appeared on January 23, 2026. The trove reportedly involved around 40 organizations across sectors including retail, insurance, and hospitality.
ShinyHunters claims Santander breach and offers data on 30 million customers
BleepingComputer reported that ShinyHunters claimed to have breached Santander and was selling data allegedly tied to 30 million customers. This adds Santander as a newly disclosed victim in the group’s activity prior to the later 2025–2026 campaign entries.
Bonobos breach reported after 70GB database leak
BleepingComputer reported that clothing retailer Bonobos suffered a data breach and that a 70GB database was leaked by a hacker. The report adds Bonobos as another disclosed victim in the broader ShinyHunters-linked retail data exposure campaign.
ShinyHunters publishes 1.9 million stolen Pixlr user credentials
SiliconANGLE reported that ShinyHunters published 1.9 million stolen user credentials from photo editing site Pixlr. The report adds Pixlr as another disclosed victim in the group’s early multi-company data theft and exposure campaign.
ShinyHunters leaks 5.22GB Mashable database
Hackread reported that ShinyHunters leaked a 5.22GB database allegedly belonging to Mashable.com. The report identifies Mashable as another victim in the group’s 2020 multi-company data exposure campaign.
ShinyHunters linked to leak of 386 million records from 18 companies
Security Affairs reported that ShinyHunters leaked more than 386 million user records stolen from 18 companies. The report documents an earlier large-scale multi-victim data exposure campaign attributed to the group, predating the later 2025–2026 incidents in the existing timeline.
Minted confirms breach as ShinyHunters sell stolen database
Minted confirmed a data breach after ShinyHunters offered the company's database for sale. The incident identifies Minted as an additional victim in the group's 2020 data-theft campaign.
Zoosk dating profiles offered for sale by ShinyHunters
Graham Cluley reported that millions of Zoosk dating profiles were put up for sale by the hacking group ShinyHunters. The report identifies Zoosk as another victim in the group's early 2020 multi-company data theft and exposure campaign.
TechRadar reports ShinyHunters leaking millions of user details
TechRadar reported that ShinyHunters was leaking millions of user details, documenting an early phase of the group's 2020 multi-victim data exposure activity. The report indicates the campaign was already affecting multiple organizations before later victim-specific disclosures such as Minted and Mashable.
ZDNet reports ShinyHunters selling 73 million user records
ZDNet reported that the hacker group ShinyHunters was selling more than 73 million user records on the dark web. The report marks an early public disclosure of the group’s 2020 multi-victim data theft and sale activity before later victim-specific reports such as Zoosk and Minted.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
28 references tracked. Mallory keeps watching after this page renders.
Troy Hunt: Weekly Update 506
troyhunt.com
Open sourceHave I Been Pwned: Mytheresa Data Breach
haveibeenpwned.com
Open sourcePanera Bread Data Breach: ShinyHunters Claims 14 Million Records Stolen - Daily Dark Web
dailydarkweb.net
Open sourceShinyHunters exposes data on Mytheresa, Zara, Carnival, 7-Eleven - over 40 organizations tied up in new data trove which will stay up 'indefinitely' | TechRadar
techradar.com
Open sourceHacking group puts millions of Zoosk dating profiles up for sale • Graham Cluley
grahamcluley.com
Open sourceShinyHunters leak millions of user details | TechRadar
techradar.com
Open sourceA hacker group is selling more than 73 million user records on the dark web | ZDNET
zdnet.com
Open source‘Shiny Hunters’ bursts onto dark web scene following breaches, Microsoft data theft claims | news | SC Media
scmagazine.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Match Group Confirms Data Theft After ShinyHunters Leak Claim
**Match Group** confirmed it is investigating a “recently identified security incident” after **ShinyHunters** claimed to have stolen and leaked data tied to its dating platforms, including **Hinge, Match.com, and OkCupid**. The actor advertised a dump of roughly **1.7 GB** of compressed files and claimed **10+ million records** plus internal documents; Match Group said it moved quickly to terminate unauthorized access and is working with external incident response experts while notifying affected individuals as appropriate. Reporting indicates the intrusion likely stemmed from compromised identity and SaaS access rather than direct compromise of the dating apps themselves. The alleged source of exposure was **AppsFlyer** (a marketing analytics platform), and one account of the incident attributes initial access to a compromised **Okta SSO** account that enabled access to AppsFlyer and cloud storage (including **Google Drive** and **Dropbox**). Match Group stated there is currently **no indication** that **user login credentials, financial information, or private communications** were accessed, while third-party review of samples reportedly suggested the dataset includes personal customer data, some employee details, and internal corporate material.
Mar 21, 2026
ShinyHunters SaaS Data Theft via Vishing-Enabled SSO Credential and MFA Capture
**ShinyHunters** has been linked to a wave of SaaS-focused data-theft and extortion activity enabled by targeted **voice phishing (vishing)** and company-branded phishing portals designed to capture **SSO credentials** and **MFA codes**. Mandiant reported that attackers impersonate IT/helpdesk staff, direct employees to realistic login pages, and use real-time interaction (including guiding victims to approve push prompts or provide one-time codes) to authenticate and then **enroll attacker-controlled devices into MFA**. After account takeover, the actor pivots through **Okta, Microsoft Entra, or Google** SSO dashboards to rapidly access downstream SaaS services (e.g., *Salesforce*, *Microsoft 365/SharePoint*, *DocuSign*, *Slack*, *Atlassian*, *Dropbox*, *Google Drive*), turning a single compromised identity into broad cloud data access. Separately, **Bumble** reported a phishing-driven compromise of a **contractor account**, after which ShinyHunters allegedly claimed theft of ~**30 GB** of data—reported as largely internal files sourced from **Google Drive** and **Slack**—while Bumble stated there was no evidence of exposure of user chats or profiles. Reporting also tied ShinyHunters to other claimed or alleged thefts affecting consumer and enterprise brands (including Match Group properties such as *Hinge*, *Match*, and *OkCupid*), consistent with the broader pattern of leveraging compromised identities and SaaS access paths for data exfiltration and extortion leverage.
May 6, 2026
ShinyHunters Claims Carnival and Udemy Breaches in Extortion Campaign
ShinyHunters claimed responsibility for a major breach affecting Carnival Corporation, with data tied to Holland America Line’s **Mariner Society** loyalty program appearing online after an alleged extortion attempt failed. According to Have I Been Pwned, the leaked dataset contained **8.7 million records** and **7.5 million unique email addresses**, including names, dates of birth, genders, and loyalty program status details. Carnival acknowledged a security incident and said it had identified a phishing attack involving a single user account, while continuing to assess the scope of unauthorized access; the gang separately alleged it also stole terabytes of internal corporate data, a claim that had not been independently verified. The same group also posted a **"Pay or Leak"** notice claiming it had compromised Udemy and stolen more than **1.4 million user records** along with internal corporate data, giving the company a deadline before any public release. Udemy had not confirmed the incident at the time of reporting, leaving the claim unverified, but the allegation fits a broader ShinyHunters campaign targeting SaaS and education organizations through social engineering, credential theft, MFA bypass, and abuse of third-party access. The incidents underscore the group’s continued use of extortion-backed data theft to pressure victims and expose customer information.
May 6, 2026