Advisory June 4, 2024

ShinyHunters Data Breach activity increase

The Obrela TI Team

ShinyHunters is a notorious hacking group that has been involved in several high-profile data breaches.

They have orchestrated attacks that resulted to breaches against several organizations, with the most recent targets being Santander and Ticketmaster.

Mode of Operations:

ShinyHunters primarily target legitimate credentials, mainly for a company’s cloud services.

They seek access to database infrastructure, and they prefer OAuth credentials as they allow bypassing two-factor authentication. They steal them from GitHub repositories or targeting DevOps or from previous hacks or sold leaked credentials.

They also target the source code trying to find vulnerabilities to use in more complex third-party or supply chain attacks.

Some of the group’s notable attacks include breaching Microsoft’s GitHub account, Bonobos and others. They’ve also claimed responsibility for incidents in booking websites, sports media and mobile travel platforms.

Data Breaches:

ShinyHunters which is quite prolific in data leakages, claimed responsibility for breaching Santander, Spain’s largest bank. The stolen Santander data reportedly includes 28 million credit card numbers, 6 million account numbers and balances and Staff HR details. The group offered this data for sale on the dark web, seeking $2 million12.

The group also claimed responsibility for the Ticketmaster data breach. The compromised Ticketmaster data allegedly includes full names, addresses, phone numbers, partial credit card numbers for 560 million customers. The group was selling the data for $500,000.

The only common field between the two organizations until now seems to be the cloud storage provider Snowflake.

The threat actor claims they stole data after hacking into an employee’s account at Snowflake. Snowflake denies the claim and puts the blame on poorly secured customer accounts. However, they acknowledged the incidents.

Researchers suspect that the attacks were due to poor credentials.

Snowflake has released an advisory including some IPs that they investigate for suspicious activities.


To prepare for a potential attack please make sure you follow the below measures:

  • Organizations who utilize Snowflake should proactively:
    • Reset active accounts credentials.
    • Disable non-active accounts.
    • Enable Multi-Factor Authentication (MFA).
    • Review user activity.
  • They should also follow awareness programs to ensure they avoid the below:
    • Financial fraud and account takeovers caused by compromised customer data.
    • Business email compromise (BEC) scams exploiting compromised data.

Advisory alert shield