In the first half of 2026, a single cybercriminal group has dominated data breach headlines: ShinyHunters. With confirmed breaches at ADT, Medtronic, Carnival Corporation, Instructure (Canvas), and dozens more, ShinyHunters has stolen data on over 400 million people this year alone. If your personal information was caught up in any major 2026 breach, there is a good chance ShinyHunters is behind it. Here is who they are, how they operate, and what you can do to protect yourself.
Who Are ShinyHunters?
ShinyHunters is a black-hat hacking and extortion group that first appeared in May 2020. The name is a Pokémon reference — "shiny hunting" refers to obsessively searching for rare color variants of Pokémon characters. The group operates under a leader known as "ShinyCorp" (also tracked as "sp1d3rhunters" and "shinyc0rp" across Telegram channels) and is believed to be affiliated with "The Com," a large international network of cybercriminals.
From the start, ShinyHunters operated on a "pay or leak" extortion model. After breaching a company, they contact the victim privately with a ransom demand and a deadline. If the company refuses to pay, the stolen data is published on a Tor-hosted leak site or auctioned to the highest bidder on dark web forums.
A Brief History of ShinyHunters Attacks
Before their 2026 rampage, ShinyHunters had already compiled a staggering track record:
- 2020: Breached Tokopedia (91 million accounts), Mathway (25 million users), Wattpad (271 million records), and Microsoft's GitHub account.
- 2021–2023: Continued stealing and selling data from dozens of targets, including AT&T Wireless, Pixlr, and Bonobos, establishing themselves as one of the most active threat groups globally.
- 2024: Breached AT&T Wireless (110 million customers) and Ticketmaster/Live Nation (560 million records). AT&T reportedly paid a $370,000 ransom to have the data deleted.
- 2025: Breached Qantas Airways (5.7 million customers). Four members were arrested by French authorities in June 2025, but leadership remained active.
Arrests have not stopped them
Despite a coordinated international law enforcement operation in June 2025 that arrested four ShinyHunters members in France, the group's leadership remained active and operational. The 2026 campaign appears to be their most aggressive yet.
The 2026 Campaign: Scale and Targets
In 2026, ShinyHunters shifted to an industrial-scale operation, breaching over 40 confirmed organizations in the first five months of the year. Their primary targets include:
- Instructure (Canvas): The largest education-sector breach on record. ShinyHunters hit Canvas twice (April 30 and May 7), exfiltrating 3.65 TB of data across approximately 9,000 universities and K–12 institutions, affecting over 30 million students and staff. Instructure reportedly paid a ransom.
- ADT: The home security company was breached via a vishing attack on an employee's Okta SSO account, exposing 5.5 million customer records including home addresses.
- Medtronic: The world's largest medical device manufacturer confirmed a breach after ShinyHunters claimed 9 million records. The company filed a Form 8-K with the SEC.
- Carnival Corporation: The cruise company disclosed a breach affecting nearly 6 million individuals.
- Charter Communications (Spectrum): Breached via a vishing attack targeting a Microsoft Entra account, compromising Salesforce data.
How ShinyHunters Gets In
ShinyHunters uses three primary attack methods, often in combination:
1. Voice Phishing (Vishing)
The group calls employees and impersonates IT staff, helpdesk personnel, or executives to trick them into revealing their single sign-on (SSO) credentials. The ADT and Charter Communications breaches both began with vishing attacks targeting employees' Okta and Microsoft Entra accounts. With AI-powered voice cloning, these calls are becoming nearly impossible to distinguish from legitimate ones.
2. Cloud and SaaS Misconfigurations
ShinyHunters scans for misconfigured Salesforce Experience Cloud sites, exposed cloud storage buckets, and improperly secured SaaS applications. Once they find an opening, they extract data without needing to breach the target's core infrastructure.
3. OAuth and Supply Chain Attacks
The group targets third-party integrations and OAuth tokens — the authentication mechanisms that allow different software systems to talk to each other. By compromising a single integration point, they gain access to data across multiple connected systems.
No industry is safe
ShinyHunters' 2026 targets span education, healthcare, home security, travel, telecommunications, and financial services. Their attack methods exploit weaknesses that exist in virtually every modern organization.
Skip the manual opt-outs
One opt-out won't stop them — brokers relist your data. PrivacyOn removes your info from 100+ sites and keeps it removed.
Start your free scanWhat Happens to Your Stolen Data
When ShinyHunters steals your data, it follows a predictable path:
- Ransom demand: The victim company is given a deadline to pay. Ransoms are negotiated privately.
- Leak or auction: If the ransom is not paid, data is published on ShinyHunters' Tor leak site or sold on dark web forums.
- Secondary markets: Once leaked, the data is harvested by other criminals for identity theft, phishing campaigns, and fraud.
- Data broker aggregation: Stolen information often ends up aggregated into data broker databases, where it is combined with existing records to create even more detailed profiles.
How to Protect Yourself
You cannot prevent ShinyHunters from attacking companies you do business with. But you can limit the damage when breaches happen:
- Freeze your credit at all three bureaus to block fraudulent new accounts.
- Use unique passwords for every account, managed with a password manager, so one breach does not cascade. See our guide on creating strong passwords.
- Enable two-factor authentication on all important accounts using an authenticator app.
- Monitor for breach exposure at haveibeenpwned.com and through dark web monitoring services.
- Remove your information from data broker sites to limit what criminals can build from leaked records.
- Be skeptical of phone calls — if ShinyHunters can vish their way into ADT and Charter, scammers using the same techniques can target you directly.
What Law Enforcement Is Doing
In June 2025, French authorities arrested four ShinyHunters members as part of a coordinated international operation. The FBI's Internet Crime Complaint Center (IC3) issued a public service announcement in May 2026 specifically about ShinyHunters' attack on Canvas. Despite these efforts, the group's core leadership has continued operating, suggesting that the arrests disrupted but did not dismantle the organization.
Frequently Asked Questions
How do I know if ShinyHunters has my data?
Check haveibeenpwned.com for any breaches linked to your email. Also monitor for breach notification letters from companies you use. ShinyHunters' confirmed 2026 victims include ADT, Medtronic, Carnival, Canvas/Instructure, and Charter Communications, among others.
Should I worry if a company paid the ransom?
Paying a ransom does not guarantee data deletion. Even when ShinyHunters claims to delete stolen data after receiving payment, there is no independent verification that copies are truly destroyed. Treat your data as compromised regardless of whether a ransom was paid.
Stay Ahead of Breach Fallout With PrivacyOn
With ShinyHunters breaching companies at an unprecedented pace, your personal data has likely been exposed in at least one recent incident. PrivacyOn provides continuous monitoring across 100+ data broker sites and the dark web, automatically removing your information wherever it surfaces. With 24/7 monitoring, dark web alerts, and family plans covering up to 5 people, PrivacyOn helps you stay protected even as new breaches continue to unfold.