ShinyHunters Wave 3: One Hacker Exposes over 125 Million Credentials
January 25, 2021 • RBS
UPDATE: ShinyHunters returned in 2021 with a number of new breached database leaks. Starting on January 17th, 2021, the threat actor has leaked 10 new databases including:
The most recent share was on January 20, 2021 and there is no indication that more database leaks will continue.
Millions of sensitive user records are compromised every year, stemming from company breaches to misconfigured databases. However, an alarming number of individuals had their data recently exposed by a single threat actor. This event is truly unique in the significant number of organizations and individuals impacted in a short amount of time, but it’s not the first time for this particular hacker.
On October 10th, 2020 the well-known threat actor “ShinyHunters” shared a database pilfered from meal kit delivery company Home Chef on a popular hacking forum. In the following weeks sixteen other databases attributed to ShinyHunters were shared on the forum. The impacted organizations ranged from popular gaming sites like Animal Jam to restaurant solutions provider OrderSnapp. Beyond diverse industries, the victim organizations span the globe signifying the impacted user base does as well. Individuals from Brazil to Singapore felt the effects of these breaches.
Strikingly, each of these seventeen breached databases were significant in size, ranging from 1.1 million to 46 million user records. All of the databases contained email addresses and some form of password or authentication token, as well as a variety of other personally identifying information such as names, dates of birth, and home addresses.
After a flurry of activity, the last database was leaked on November 13th, 2020. At that point ShinyHunters ceased activity on the forum, concluding their latest and most recent wave of compromised data.
When all was done, a total of 129,406,564 sensitive user records had been leaked in the span of just five weeks.
High-value databases, such as the ones exposed this past fall, are often closely guarded by a small number of threat actors seeking to resell the information or personally exploit the data through various methods. When the data is leaked on hacking forums it reaches a much wider audience, decreasing the black market resale value but simultaneously increasing the risk for affected users.
While the data was only recently made available, the hacks themselves occurred throughout 2020. Adding to the confusion and risk to users is that while some organizations reported the breaches shortly after discovering the data was stolen, other breaches were not known until the data was leaked.
The databases might seem innocuous, such as children’s games and delivery services, but our analysis has found the risk to be formidable. Many users provide their professional or academic email addresses when registering for services, and also often reuse their passwords across platforms. In addition to the personally identifying information, this leaves users and organizations at risk to spear phishing campaigns, harassment, fraud, or direct compromise if the exposed passwords are also used at work.
To illustrate this point Risk Based Security researchers analyzed the leaks for email addresses containing .edu, .gov, and .mil domains as well as a list of domains from the S&P 100 and 25 top IT/Cybersecurity companies. As recently shown with the recent hack of the US government through the technology company SolarWinds, credentials and data related to IT/Cybersecurity companies can prove to be highly valuable.
Risk Based Security found that a stunning 422,256 unique email addresses from S&P 100 organizations were exposed on the dark web in October and November by ShinyHunters, as well as 14,046 IT/Cybersecurity related emails and more than 150,000 government and military email addresses.
An Eventful Year: Tallying the Damage
A majority of these databases have been individually reported on by the media, but the singular reports miss the bigger picture. The latest wave of data leaks caps arguably one of the most impactful hacking sprees by a single threat actor in recent years.
ShinyHunters first rose to prominence in May 2020 by attempting to sell a number of valuable databases on the dark web. Dubbed “stage 1” by the threat actor, they promised more databases in the future. While the dark web marketplace listings caught the attention of the media, ShinyHunters had already begun to leak databases on dark web hacking forums. From April 18, 2020 to May 22, 2020, ShinyHunters leaked 5 databases containing a total of 43,026,000 user records.
Keeping their promise, wave 2 unleashed an even bigger number of exposed credentials. In July 2020, 25 databases attributed to ShinyHunters were leaked on dark web hacking forums containing a whopping total of 386,400,530 user records.
With the latest wave 3, it brings the total number of databases shared by ShinyHunters in the span of one year to 47, exposing over 550 million users’ credentials.
What is the True Identity of ShinyHunters and What’s Next?
Some cybersecurity researchers believe ShinyHunters has ties to Gnosticplayers, another infamous hacker that seemed to fade away just before ShinyHunter rose to relevance. However, ShinyHunters have directly denied it. In addition to questions around ties to other actors, researchers are also unsure if ShinyHunters is a collective of multiple threat actors, or one individual working alone.
The recent wave of database releases crowns a year full of database leaks. Though it does beg the question, what hasn’t been leaked yet?
Some databases have been posted for sale but have not been openly shared yet, like Styleshare. Recent ShinyHunters marketplace listings have not provided names or details, requesting serious buyers only and not providing specifics in order to ensure secrecy of the breach. Considering the pattern of postings, it is likely ShinyHunters possesses additional databases from breaches still unknown to the public.
ShinyHunters will inevitably return in 2021, either under the same name or an alias. All companies can do now is prepare, secure their data, and make sure they won’t be on next year’s list.
Cyber Risk Analytics:
The standard and most comprehensive resource for data breach intelligence and risk ratings.