Breach, Threat Management, Data Security

‘Shiny Hunters’ bursts onto dark web scene following breaches, Microsoft data theft claims


A malicious actor known as Shiny Hunters has emerged as a serious dark web player following a spate of high-profile breaches, and now the hacker or hackers is claiming to have stolen data from Microsoft's private GitHub repositories and is threatening to release the code for free.

According to researchers from ZeroFOX Alpha Team, Shiny Hunters is behind the recently reported breaches of Indonesian e-commerce giant Tokopedia and Indian e-learning platform Unacademy, as well as three new breaches affecting meal kit delivery service Home Chef, online printing and photo store Chatbooks and college-oriented news site

For this reason, ZeroFOX has likened Shiny Hunters to gnosticplayers, another prominent hacker or hacking group known for selling stolen data on the dark web from dozens of companies in 2018 and 2019.

"Due to the verification of the Tokopedia breach by multiple researchers and the company itself, ZeroFOX Alpha Team has high confidence that these new breaches are legitimate, and will most likely be available on other breach marketplaces at lower prices in the near future," ZeroFOX stated in a blog post. "It is likely that this actor will continue to breach companies and post their content for sale. These tactics proved both successful and profitable for gnosticplayers, and it is likely they will continue to appeal to other breach brokers for these reasons.

BleepingComputer has separately reported that it was contacted by Shiny Hunters, who said they stole over 500GB of data from Microsoft's repositories with the original intention of selling it, but now instead may publicly leak the records for free.

Although the actor posted a sampling of records on a hacker forum, BleepingComputer reported that some forum members doubted the veracity of certain claims. A directory listing and samples sent to BleepingComputer reportedly revealed mostly code samples, test projects, and generic items, but nothing especially worrisome such as source code.

"We're aware of these claims and are investigating," said a Microsoft spokesperson.

Earlier this month, it was reported that a hacker was selling roughly 91 million user records stolen from Tokopedia, in a massive breach. And just today, it was reported that an actor was selling the account information of about 22 million users of Unacademy. ZeroFox has now linked that activity to three more breaches, which collectively impact the user data of 26 million accounts. This latest intelligence is based on breach dumps that ZeroFOX has found for sale on a dark web forum.

The HomeChef breach affects approximately 8 million records, a sample set of which was posted to a paste website. The records are selling for $2,500, and impacted information includes email addresses, by crypt passwords, IP addresses, partial SSNs, zip codes and phone numbers.

The stolen Chatbooks information involves 15 million rows of data and is selling on the dark web for $2,000. A sample posted on a paste website reveals email addresses, SHA-512 password hashes, social media access tokens and various PII.

The breach contains roughly 3 million records, which are collectively selling for $1,500, ZeroFOX said.

SC Media has reached out to Home Chef, Chatbooks and for comment.

On Friday, May 9, Chatbooks confirmed its breach, alerting its users with a statement on its website and app. "We are currently working with a digital security and forensics firm to assess the extent of this data security breach," the statement says. "In our review, we found that the breach occurred on March 26, 2020, and that the stolen information appears to consist primarily of Chatbooks login credentials, including names, email addresses and individually salted and hashed passwords. Additionally, for a small portion of the affected records, some phone numbers, FacebookIDs and inactive social media access and merchant tokens were also stolen."

"No payment or credit card information was compromised in any way -- we do not store payment and credit card information in our database. And we currently have no evidence to suggest that any other personal information or photos were stolen," the Chatbooks statement continues.

On Saturday, May 9, a spokesperson with The Chronicle of Higher Education confirmed to SC Media that the news site is "aware of a recent report that some of its records are being sold online by unauthorized parties. The Chronicle has launched an investigation with the assistance of a leading cyber security firm. The Chronicle takes this matter very seriously and assures its users that it is working to swiftly address this matter."

On Wednesday, May 20, Home Chef publicly acknowledged its breach, offering scant details. The meal service confirmed that it “recently learned of a data security incident impacting select customer information” and encouraged customers to change their passwords.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.