Data breaches have become an all too common threat in recent years, exposing personal information through attacks on companies and institutions. Some of these assaults are the result of sophisticated nation-state espionage operations, while others are fueled by online criminals hoping to sell the stolen data. Over the first two weeks of May, a hacking group called ShinyHunters has been on a rampage, hawking what it claims is close to 200 million stolen records from at least 13 companies.
Such binges aren’t unprecedented in the dark web stolen data economy, but they’re a crucial driver of identity theft and fraud. Without new breaches, user details that are already in circulation—like account login credentials, names, addresses, phone numbers, and credit card data—simply get repackaged again and again and passed around criminal forums at lower cost. Fresh data is like gold. But while ShinyHunters came on strong in early May, dropping trove after trove of freshly stolen data, the group now seems to have gone quiet.
“What’s interesting about this is how this group appeared out of nowhere and had all this new data for sale,” says Vinny Troia, CEO of the IT security firm Night Lion Security who has been tracking ShinyHunters. “I always find that as an immediate flag. Nobody just drops into the scene with all this stuff. So that’s why I don’t believe Shiny is a new player to this market.”
On May 1, ShinyHunters emerged with a sample of 15 million customer data records stolen from the Indonesian ecommerce site Tokopedia. Two days later the hackers started selling what it claimed was the full trove of 91 million Tokopedia user accounts on the popular dark web marketplace Empire. On the same day, the group also began selling a trove of almost 22 million user accounts grabbed from the Indian education platform Unacademy. Both companies have confirmed the breaches, though Unacademy says the number of affected users is 11 million.
The two data dumps contained passwords, but they are hashed and difficult to crack. The troves also contain information like usernames, email addresses, full names, account creation date, last login, plus phone numbers, and dates of birth in the case of Tokopedia.
ShinyHunters then claimed on May 6 to have stolen over 500 GB of Microsoft source code from the company’s private GitHub account. The group circulated one gigabyte of the data that appeared legitimate, but researchers later concluded that the materials were largely sample projects and code snippets that were intended for publication anyway. “We’re aware of these claims and are investigating,” Microsoft told WIRED in a statement. “Should we identify any directly impacted customers, we will contact them via established channels.”
After generating buzz from these early disclosures, ShinyHunters went on a tear over the following week, stating that it had data from 10 more sites, including dating app Zoosk, meal kit company Home Chef, design-focused marketplace Minted, Minnesota’s Star Tribune newspaper, health and wellness site Mindful, photo printing service Chatbooks, and the web publication Chronicle of Higher Education. Not all of the companies have acknowledged ShinyHunters’ claims, but more and more have gone public over the last two weeks with confirmations.
On Wednesday, Home Chef said in a statement, “We recently learned of a data security incident impacting select customer information. Based on the information known to date, the following information was impacted in the incident: Email address, name, and phone number. Encrypted passwords. The last four digits of credit card numbers. Other account information such as frequency of deliveries and mailing address may also have been compromised.”
Chatbooks put out a similar statement last week. “We found that the breach occurred on March 26, 2020, and that the stolen information appears to consist primarily of Chatbooks login credentials, including names, email addresses, and individually salted and hashed passwords,” the company said. “Additionally, for a small portion of the affected records, some phone numbers, FacebookIDs, and inactive social media access and merchant tokens were also stolen. No payment or credit card information was compromised in any way.”