Who is ShinyHunters and what have they done?

ShinyHunters is an English-speaking cybercrime group known for stealing data from various organizations, including Fortune 500 firms. They are responsible for a recent breach involving Discord user data and terabytes of sensitive files from thousands of Red Hat customers.

What is the Scattered LAPSUS$ Hunters blog and who are they associated with?

The Scattered LAPSUS$ Hunters blog is a victim shaming and extortion site. They have been linked to ShinyHunters and other hacking groups such as Scattered Spider and LAPSUS$. These groups operate on the Com platform, which spans across Telegram and Discord servers.

ShinyHunters Launches Data Leak Site, Threatens Fortune 500 Firms

Cybercrime group ShinyHunters launches a website threatening to publish stolen data from Fortune 500 firms unless they pay a ransom. The group is linked to recent breaches involving Discord user data and Red Hat customer files.

A cybercrime group known as ShinyHunters has launched a website threatening to publish data stolen from dozens of Fortune 500 firms unless they pay a ransom. The group claimed responsibility for a recent breach involving Discord user data and stealing terabytes of sensitive files from thousands of Red Hat customers.

What Happened

In May 2025, ShinyHunters launched a social engineering campaign using voice phishing to trick targets into connecting a malicious app to their organization's Salesforce portal. The first real details about the incident came in early June when the Google Threat Intelligence Group (GTIG) warned that ShinyHunters was extorting victims over their stolen Salesforce data and planned to launch a data leak site to shame victim companies into paying a ransom.

A month later, Google acknowledged that one of its own corporate Salesforce instances was impacted in the voice phishing campaign. Last week, a new victim shaming blog dubbed "Scattered LAPSUS$ Hunters" began publishing the names of companies that had customer Salesforce data stolen as a result of the May voice phishing campaign.

Background and Context

ShinyHunters is an English-speaking cybercrime group known for its prolific and amorphous nature. The group has been tracked by Google as UNC6040, and its activities have been linked to other hacking groups such as Scattered Spider and LAPSUS$. These groups operate on the Com, a mostly English-language cybercriminal community that spans across Telegram and Discord servers.

The Scattered LAPSUS$ Hunters victim shaming and extortion blog announced that the group was responsible for a breach in September involving a GitLab server used by Red Hat. The compromised instance housed consulting engagement data, which may include project specifications, internal communications, and business contact information.

Why It Matters to the Industry

The ShinyHunters extortion spree highlights the growing threat of corporate extortion attacks in the adult industry. These types of attacks can compromise sensitive customer data, disrupt business operations, and damage reputations. The use of voice phishing and social engineering tactics makes it challenging for companies to defend against these attacks.

Moreover, the involvement of multiple hacking groups and the operation on the Com platform suggests a sophisticated and coordinated effort. This raises concerns about the potential for further attacks and the need for industry-wide collaboration to address this threat.

What Comes Next

The Scattered LAPSUS$ Hunters website claims that it will publish data stolen from Salesforce and its customers if ransom demands are not met by October 10. The group also threatens to extort hundreds more organizations that lost data in August after a cybercrime group stole authentication tokens from Salesloft.

Salesforce has emphasized that the theft of third-party Salesloft data did not originate from a vulnerability within the core Salesforce platform and has no plans to meet extortion demands. The company will focus on defending its environment, conducting forensic analysis, supporting customers, and working with law enforcement and regulatory authorities.

Key Facts

ShinyHunters launched a social engineering campaign using voice phishing in May 2025 to trick targets into connecting a malicious app to their organization's Salesforce portal.
The group claimed responsibility for a recent breach involving Discord user data and stealing terabytes of sensitive files from thousands of Red Hat customers.
ShinyHunters is tracked by Google as UNC6040, and its activities have been linked to other hacking groups such as Scattered Spider and LAPSUS$.
The Scattered LAPSUS$ Hunters victim shaming and extortion blog announced that the group was responsible for a breach in September involving a GitLab server used by Red Hat.
Salesforce has no plans to meet extortion demands from ShinyHunters and will focus on defending its environment, conducting forensic analysis, supporting customers, and working with law enforcement and regulatory authorities.