Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: shinyhunters (42 articles)Clear

ShinyHunters leaks Moody Bible Institute data on 2.3 million students and donors

The extortion group ShinyHunters has published data stolen from Moody Bible Institute, a Chicago-based Christian college, after a "pay or leak" campaign. Have I Been Pwned indexed more than 2.3 million unique email addresses along with names, physical addresses, phone numbers, and dates of birth belonging to students, alumni, donors, and supporters. ShinyHunters claimed a much larger haul spanning enrollment, donor, payroll, and communications systems, and some reporting ties the intrusion to the same ShinyHunters campaign that exploited an Oracle PeopleSoft flaw. Most of the leaked email addresses had already appeared in earlier breaches, raising the risk of credential stuffing and targeted phishing.

Check
People connected to Moody Bible Institute as students, alumni, donors, or staff should watch for a notification, be alert to phishing referencing the school, and check Have I Been Pwned.
Affected
Students, alumni, donors, and supporters of Moody Bible Institute whose contact details and dates of birth were exposed (over 2.3 million emails); the data supports credential stuffing and convincing phishing.
Fix
Affected people should reset any reused passwords, enable multi-factor authentication, and treat school-themed messages with caution. Organizations should secure SaaS and HR platforms, enforce MFA, and harden against social-engineering-driven data theft.

Medtronic notifies customers after ShinyHunters breach of corporate systems

Medical device maker Medtronic has begun notifying customers that their personal data was exposed in a breach of its corporate IT systems earlier this year, an attack claimed by the extortion group ShinyHunters. Medtronic noticed unusual activity in mid-April and its investigation found that an unauthorized actor had access between April 13 and 19. ShinyHunters claimed to hold roughly nine million records containing personal and internal corporate data, and Medtronic did not pay, with its listing later removed from the group's leak site. The company says its products, patient safety, and the networks running its medical devices were not affected, crediting separation between corporate and clinical systems.

Check
People who have dealt with Medtronic as customers, patients, providers, or partners should watch for their notification and stay alert to phishing or fraud that references Medtronic or medical accounts.
Affected
Individuals whose personal data sat in Medtronic's corporate IT systems, accessed between April 13 and 19; ShinyHunters claimed about nine million records, though device networks and patient safety were not affected.
Fix
Affected people should monitor for targeted phishing and identity fraud. Organizations should segment corporate IT from operational and clinical systems, harden SaaS and identity against social engineering, and enforce phishing-resistant MFA.

Nissan employee data stolen through Oracle PeopleSoft zero-day attacks

Nissan has disclosed that current and former employees' data was stolen after attackers exploited a zero-day flaw in Oracle PeopleSoft, the software it uses to manage payroll, tax, and personnel records. In a filing with California's attorney general, Nissan said Oracle informed it that the personnel records of hundreds of companies may have been taken. The attacks, tied to the extortion group ShinyHunters, exploited PeopleSoft vulnerability CVE-2026-35273 as a zero-day between late May and early June, primarily hitting education organizations, before Oracle issued mitigations. ShinyHunters has begun leaking stolen data, with Nissan joining victims that include the University of Nottingham and a US insurance regulator group.

Check
Organizations using Oracle PeopleSoft should confirm the CVE-2026-35273 mitigations are applied and review access logs from late May through early June for signs of the data-theft activity Mandiant documented.
Affected
Nissan's current and former employees whose payroll and personnel records were exposed, and the hundreds of other PeopleSoft-using organizations Oracle says were caught in the same ShinyHunters zero-day campaign (CVE-2026-35273).
Fix
Apply Oracle's PeopleSoft mitigations, rotate exposed credentials, and offer affected employees identity protection. Affected individuals should watch for phishing and fraud using stolen payroll and personnel data, including tax-related identity theft.

ShinyHunters leaks Sysco data with 2.7 million email addresses after extortion

Food distribution giant Sysco was hit by the extortion group ShinyHunters in a "pay or leak" attack, and after the company did not pay, the stolen data was published. Have I Been Pwned has indexed 2,691,852 unique email addresses belonging to staff and customers, alongside what is described as largely corporate contact information. The breach fits ShinyHunters' sweeping 2026 campaign against large enterprises, which has typically relied on social engineering and compromised SaaS integrations rather than software exploits. Exposed business contact data is useful for convincing, targeted phishing aimed at Sysco's staff, customers, and partners.

Check
People and businesses dealing with Sysco should check Have I Been Pwned for affected emails and stay alert to phishing or invoice fraud that references Sysco accounts, orders, or deliveries.
Affected
Sysco staff, customers, and partners whose email addresses and corporate contact details were exposed (2,691,852 indexed); the data supports targeted phishing and business email compromise against the food-distribution supply chain.
Fix
Treat unexpected Sysco-themed emails with caution, verify payment or account changes through known contacts, enable phishing-resistant MFA, and brief staff and partners on the heightened phishing risk from this exposure.

American Tower breach surfaces on Have I Been Pwned with 216,000 accounts

Data from a breach of American Tower, one of the largest wireless communications infrastructure companies, has been indexed by Have I Been Pwned, which added 216,601 affected accounts. The extortion group ShinyHunters is linked to the incident, consistent with its sweeping 2026 campaign that has used social engineering against staff to reach corporate systems and exfiltrate data at major enterprises. American Tower operates critical telecom infrastructure, making any exposure of employee or partner data a concern for follow-on phishing and targeted attacks. Exposed contact details are commonly reused for convincing phishing against affected individuals and the organization.

Check
People connected to American Tower should check Have I Been Pwned for their email and stay alert to phishing referencing the company; the organization should review how the data was accessed.
Affected
Individuals whose data was exposed in the American Tower breach (216,601 accounts indexed); exposed contact information supports targeted phishing against a company operating critical communications infrastructure.
Fix
Reset and avoid reusing affected passwords, enable phishing-resistant MFA, and treat unexpected messages referencing American Tower with caution. Organizations should harden help desks and accounts against social-engineering-driven access.

ShinyHunters leaks Madison Square Garden Sports data on nearly 10 million people

The extortion group ShinyHunters has published data stolen from Madison Square Garden Sports, owner of the New York Knicks and Rangers, after the company did not pay. Have I Been Pwned indexed 9,796,738 unique email addresses spanning staff and customers, alongside extensive personal, employment, and customer-relationship records including names, addresses, phone numbers, and some dates of birth. Reporting on the leak describes an internal "Talent" file profiling former players, executives' family members, and celebrities, in some cases with so-called threat assessments. The intrusion reportedly began with voice-phishing of staff, the same social-engineering pattern behind ShinyHunters' wider 2026 campaign against large enterprises.

Check
People who interacted with Madison Square Garden venues or teams should check Have I Been Pwned for their email and watch for targeted phishing or fraud referencing tickets, accounts, or events.
Affected
Staff and customers of Madison Square Garden Sports whose contact and personal data was exposed (9,796,738 emails); high-profile individuals named in internal files face heightened targeting and impersonation risk.
Fix
Reset and avoid reusing affected account passwords, enable phishing-resistant MFA, and stay alert to convincing phishing. Organizations should harden help desks against voice-phishing with strict caller-identity verification.

Ralph Lauren breach exposes customer data as ShinyHunters extends retail spree

Have I Been Pwned has added 139,903 accounts from a breach of fashion brand Ralph Lauren, which the extortion group ShinyHunters claimed as part of its sweeping 2026 campaign against retail and luxury names. ShinyHunters says it took around 220 GB of data, including customer personal information, purchase histories, and financial transaction details, along with unreleased product and strategy plans. The group typically breaks in not through a brand's core systems but via connected platforms like Salesforce or customer-service tools. Exposed purchase and contact data is prime material for convincing phishing and fraud aimed at the retailer's customers.

Check
Ralph Lauren customers should check Have I Been Pwned for their email, watch for phishing or fraudulent charges referencing orders or accounts, and review payment statements for unauthorized activity.
Affected
Ralph Lauren customers whose personal, purchase, and transaction data was exposed (139,903 accounts confirmed); the breach is part of a broader ShinyHunters wave hitting retail and luxury brands through connected platforms.
Fix
Reset and stop reusing any Ralph Lauren account passwords, enable MFA, stay alert to order- and refund-themed phishing, and consider monitoring payment cards used with the retailer for fraud.

JCPenney breach exposes Social Security numbers and tax records of 368,000

Have I Been Pwned has added 368,418 accounts from a breach of JCPenney, after the extortion group ShinyHunters claimed in mid-June it stole data from the retailer and several sister brands under Catalyst Brands and Authentic Brands Group. ShinyHunters says the haul includes highly sensitive employee and customer data: Social Security numbers, dates of birth, W-2 tax forms, payroll records, and scans of government-issued IDs. Unlike passwords, these identifiers cannot simply be reset, raising long-term identity-theft and tax-fraud risk. JCPenney has not confirmed the full scope, and the group has not published samples, but the data types make this a serious exposure.

Check
Current and former JCPenney and Catalyst Brands staff and customers should check Have I Been Pwned, watch for tax, payroll, and identity-themed phishing, and monitor for fraudulent tax filings or new-account activity.
Affected
JCPenney employees and customers, plus those tied to sister brands like Aeropostale, Brooks Brothers, Lucky Brand, and Nautica; exposed Social Security numbers, W-2s, and ID scans carry lasting fraud risk.
Fix
Consider a credit freeze and fraud alert, file taxes early to pre-empt fraudulent returns, reset any reused JCPenney passwords, enable MFA, and treat tax or payroll messages referencing the breach with caution.

Kodak confirms breach as ShinyHunters claims 2.2 million stolen records

Eastman Kodak has confirmed that an unauthorized third party gained temporary access to a limited amount of company data, after the extortion group ShinyHunters listed the firm on its dark-web leak site. ShinyHunters claims it stole more than 2.2 million records containing customer personal information and internal corporate data, and set a leak deadline of June 18, though it has released no proof and Kodak has not verified the figure. Kodak, now mainly a B2B manufacturing and technology company, says it engaged outside experts and law enforcement and sees no threat to operations. The breach fits ShinyHunters' prolific 2026 data-theft campaign.

Check
Kodak's business customers and partners should watch for targeted phishing and business email compromise referencing Kodak dealings, and verify any unexpected payment or account-change requests through known contacts.
Affected
Kodak customers and partners whose personal or corporate data may sit in the stolen records; ShinyHunters claims 2.2 million records, a figure Kodak has not confirmed and the group has not substantiated.
Fix
Watch for fraud and phishing tied to the breach, reset and stop reusing any Kodak-related credentials, and enable phishing-resistant MFA. Organizations should harden help-desk verification against social-engineering-driven data theft.

HIBP confirms 248,000 accounts from ShinyHunters breach of advisory firm CFGI

Have I Been Pwned has added 248,235 accounts from the March breach of CFGI, a US accounting and financial-advisory firm that works closely with corporate finance teams at mid-market and Fortune 500 companies. The extortion group ShinyHunters claimed the intrusion, posting hundreds of thousands of records including names, emails, phone numbers, and home addresses, along with internal corporate documents and identity-system metadata. Because CFGI sits inside its clients' finance functions, the stolen contact and relationship data is unusually useful for convincing business email compromise and client-impersonation scams aimed at authorizing fraudulent payments.

Check
If you work with or for CFGI, check Have I Been Pwned for your email and watch for finance-themed phishing, fake wire instructions, or audit-document requests referencing CFGI.
Affected
CFGI employees, clients, and contacts whose personal and corporate data was exposed (248,235 accounts confirmed); the firm's finance-function clients face elevated business email compromise risk.
Fix
Reset and stop reusing CFGI-related credentials, enable phishing-resistant MFA, and verify any unexpected payment, wire, or account-change request through a known, pre-established voice channel rather than email links.