ShinyHunters DLS Leaked: Hackers Publish 48GB of Stolen Data from PeopleSoft Victims
ShinyHunters’ Data Leak Tactics Exposed: What Organizations Need to Know
ShinyHunters, a cybercriminal group active since at least 2019, has been leveraging sophisticated techniques to compromise organizations, with recent analysis revealing a 48GB data breach from a single victim. According to Mandiant, attackers used a bash script to map PeopleSoft configurations and establish an outbound SSH connection to the ShinyHunters data leak site (DLS) hosted at IP 176.120.22.24.
Reconnaissance and Data Exfiltration Methods
The attackers conducted detailed reconnaissance, including analyzing WebLogic server XML configurations and PeopleSoft process schedulers. The stolen data was compressed using the zstd tool before being uploaded to the DLS. Mandiant’s analysis of the bash script in the staging environment highlights the group’s methodical approach to identifying and exploiting vulnerabilities.
“While several organizations successfully blocked the activity or remediated the vulnerabilities, others experienced compromise, resulting in stolen data being published on the ShinyHunters DLS,” Mandiant reported. The DLS claimed to have recovered 48GB of data from one victim, underscoring the scale of the breach.
Notable Victims and Impact
ShinyHunters has targeted major corporations, including Ticketmaster (via a Snowflake breach), Spain’s Santander bank, and Salesforce (which exposed Google’s data). These incidents highlight the group’s ability to exploit supply chains and cloud misconfigurations. For example, the 2025 Salesforce breach reportedly affected “many other companies,” according to BleepingComputer.
The group’s tactics include exploiting zero-day vulnerabilities, stealing OAuth tokens, and conducting voice phishing attacks. Rapid7 has documented active exploitation of Oracle PeopleSoft’s CVE-2026-35273, emphasizing the urgency for affected organizations to act.
Why ShinyHunters’ Attacks Matter Now
Comparing ShinyHunters to Past Breaches
ShinyHunters’ 48GB data leak pales in comparison to the 2021 SolarWinds breach, which compromised 18,000 organizations. However, its focus on cloud and software vulnerabilities aligns with trends seen in recent attacks. Unlike SolarWinds, which relied on supply chain compromises, ShinyHunters’ reliance on misconfigured cloud environments reflects a shift toward easier entry points for attackers.
The Role of Cloud Misconfigurations
Cloud misconfigurations remain a critical vulnerability. ShinyHunters’ ability to exploit these issues underscores the need for continuous monitoring. Mandiant advises PeopleSoft users to review their configurations and apply patches immediately. “All PeopleSoft users would do well to heed the calls,” the report states.
Mitigation Strategies for Organizations
Immediate Steps to Prevent Compromise
Organizations should prioritize the following actions:
- Review and secure cloud configurations
- Update software to address known vulnerabilities, such as CVE-2026-35273
- Monitor for unauthorized SSH connections to suspicious IP addresses
Mandiant and Rapid7 provide detailed indicators of compromise (IOCs) for threat hunters.
Long-Term Security Overhaul
Investing in zero-trust architectures and employee training on social engineering tactics can reduce risks. ShinyHunters’ use of voice phishing and OAuth token theft highlights the need for multi-factor authentication (MFA) and regular security audits.
Frequently Asked Questions
What is ShinyHunters?
ShinyHunters is a cybercriminal group that has targeted major companies since 2019, using methods like cloud misconfigurations and supply chain attacks to steal data.
How did ShinyHunters steal 48GB of data?
Attackers used a bash script to map configurations, compressed data with zstd, and exfiltrated it via an SSH connection to the ShinyHunters DLS at IP 176.120.22.24.
Which companies have been affected?
Victims include Ticketmaster, Santander, Salesforce, and Google, with the latter’s data exposed through a Salesforce breach.