ShinyHunters is a threat actor group that became prominent in 2020 with their purported data theft of 200+ million records stolen from 13 companies. In early May, ShinyHunters proclaimed credit for stealing over 90 million customer data records from Tokopedia. Tokopedia is an Indonesian e-commerce site. During the same period, ShinyHunters claimed the theft of over 10 million user accounts stolen from the Indian education platform Unacademy.
Later that same month, ShinyHunters further proclaimed the exfiltration and theft of hundreds of gigabytes of Microsoft source code from their private GitHub account. However, this attack remained an unverified and potentially bogus claim. The threat group circulated a small amount of the data to prove their claims, but Microsoft indicated that these data came from sample projects and code snippets for release.
ShinyHunters continued their announcements and, later in May, claimed the compromise of over ten more sites. These include Minted, Minnesota’s Star Tribune newspaper, Chatbooks, Mindful, Home Chef, and the dating Zoosk.
Later in January 2021, ShinyHunters published 1.9 million records that were exfiltrated and stolen from the photo editing service Pixlr. The stolen data was linked to a hacking forum and included emails, user login names, country of origin, and other sensitive information. Threat researchers believe the breach was accomplished by compromising an unsecured Amazon Web Services Inc. S3 bucket, although this was never confirmed. Indeed, not the first time, nor the last, that compromise of an unsecured S3 bucket resulted in a compromise and data breach.
Later in July 2021, ShinyHunters hit the financial service provider Dave Inc. This attack was achieved by branching the GIT analytics platform provider Waydev, Inc. Cybersecurity researchers have also identified stolen data on the same hacking forum in other locations exfiltrated from Bonobos.com. Wognai.com, Tesspring.com. Tunedglobal.com. Buyucoin.com. Wappalyzer.com. Chqbook.com. Rooter.io., and MeetMindful.com.
ShinyHunter starts by identifying companies that are using Microsoft Office 365. Next, they look for companies that store GitHub open authorization tokens. Once identified, ShinyHunters work to identify research and development employees within the same organization. These credentials can be used in additional targeted attacks on the same entities. ShinyHunters also searches the GitHub repository code for further vulnerabilities. These can then be used, in turn, for supply chain attacks with potentially disastrous results.
Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.
Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels across many industries and from around the world.
Get started with Bugcrowd
Hackers aren’t waiting, so why should you? See how Bugcrowd can quickly improve your security posture.