ShinyHunters is a black-hat criminal hacker and extortion group that is believed to have formed in 2019, and is said to have been involved in a significant amount of data breaches. The group has built a strong reputation of "pay or leak"; they often extort the company they have hacked, and if the company does not pay the ransom, the stolen information is very often leaked or sold on the dark web.

The name of the group is believed to be derived from Shiny Pokémon, an aspect of the Pokémon video game franchise where Pokémon have a rare chance of being encountered in an alternate, "shiny" color scheme; players who actively try to collect such Pokémon through in-game strategies are often referred to as "shiny hunters".

In 2024, The ShinyHunters cybercriminal group claimed to have hacked Snowflake-related customers including Ticketmaster, Santander Bank, Neiman Marcus, and many others. The group was also responsible for publishing data stolen from Twilio and Truist Bank.

In 2026, according to BleepingComputers numerous sources ShinyHunters hacking group executed another widespread data theft of Snowflake-related customers through the third party integrator Anodot. Snowflake, Inc. confirmed the incident and is actively notifying potentially impacted customers. Subsequently, ShinyHunters is extorting "over a dozen" companies that were affected in return to not publish the data. Googles Threat Intelligence Group Mandiant confirmed that they are tracking the case.

On June 4, 2025, ShinyHunters was tied to a widespread data-theft campaign targeting Salesforce cloud customers, which Google's Threat Intelligence team tracked as UNC6040. The cybercriminal group working in conjunction with Scattered Spider (now believed to be the same group) and Lapsus$ (also now believed to be the same group or a part of) impersonated IT support staff and used voice phishing (vishing) calls to trick employees into installing a malicious version of Salesforce's Data Loader tool, allowing them to access and extract sensitive customer data by abusing OAuth to bypass traditional authentication methods. Following the successful intrusions, Google's Threat Intelligence team notes the victims of these intrusions receive an extortion or ransom email from the ShinyHunters cybercriminal group, which is also tracked as UNC6240.

This sophisticated social engineering approach led to confirmed data breaches at major companies including Google, Cisco, Adidas, Qantas, Allianz Life, Farmers Insurance Group, Workday, Pandora, Chanel, TransUnion, LVMH subsidiaries, including but not limited to Dior, Louis Vuitton, and Tiffany & Co. It is believed that a lot more victims have been impacted from this campaign, public disclosures are still impending.

Shortly after, on August 28, 2025, another campaign tracked by Google Threat Intelligence (formerly Mandiant) as UNC6395 used OAuth/refresh tokens stolen from Salesloft's Drift integration to access numerous Salesforce customer orgs between August 8–18, 2025, systematically exporting CRM data and hunting for credentials (e.g., AWS access keys, passwords, Snowflake tokens). Google told reporters it was aware of over 700 potentially impacted organizations. Public disclosures tied to this campaign include Cloudflare, Workiva, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Rubrik, Cato Networks, and Palo Alto Networks, each confirming unauthorized access to data in their Salesforce environments following the Salesloft/Drift compromise. The ShinyHunters cybercriminal group claimed responsibility to the press.

On September 17, 2025, BleepingComputer was able to confirm ShinyHunters was behind the UNC6395 campaign, the biggest SaaS compromise in history. ShinyHunters told BleepingComputer that the threat actors used the TruffleHog security tool to scan the source code for secrets, which resulted in the finding of OAuth tokens for the Salesloft Drift and the Drift Email platforms. Using these stolen Drift OAuth tokens, ShinyHunters told BleepingComputer that the threat actors stole approximately 1.5 billion data records for 760 companies from the "Account", "Contact", "Case", "Opportunity", and "User" Salesforce object tables.