Nearly 200,000 Zara customers were exposed in a third-party breach linked to ShinyHunters, revealing emails, purchase history, and support data.

Personal data belonging to nearly 197,000 Zara customers has been compromised following a cyberattack on a former technology provider used by Inditex, the Spanish fashion giant behind some of the world’s most recognized retail brands including Bershka, Pull&Bear, and Massimo Dutti.

The breach came to light last month when Inditex confirmed unauthorized access to databases hosted by a third-party vendor. The company was careful to limit the alarm: the compromised databases did not contain names, passwords, payment details, addresses, or phone numbers.

“Inditex has immediately applied its security protocols and has started notifying the relevant authorities of this unauthorized access, that stems from a security incident that affected a former technology provider and has impacted several companies operating internationally,” reads a statement by Inditex.

“Operations and systems haven’t been affected and customers can continue to access and use its services safely,”

What was exposed, however, tells a different story about the scale of the incident.

The data breach notification service Have I Been Pwned analyzed the stolen dataset and confirmed that 197,400 unique email addresses were among the compromised records, alongside order IDs, product SKUs, geographic locations, purchase history, and customer support tickets, enough to paint a detailed picture of individual shopping habits and interactions with the brand.

“In April 2026, the fashion brand Zara was among a number of organisations targeted by the ShinyHunters extortion group as part of their “pay or leak” campaign. The group claimed the breach was related to a compromise of the Anodot analytics platform and subsequently published a terabyte of data allegedly including 95M support ticket records.” reads the alert by HIBP. “The data contained 197k unique email addresses alongside product SKUs, order IDs and the market the support ticket originated in. Zara’s parent company Inditex advised that the incident didn’t affect passwords or payment information.”

The extortion group ShinyHunters claimed the attack and the theft of a 140GB archive from BigQuery instances by exploiting compromised Anodot authentication tokens, the same technique they have used against dozens of other companies.

“Your Bigquery instances data was compromised thanks to Anodot.com.” the cybercrime group wrote on its Tor data leak site. “The company failed to reach an agreement with us despite our incredible patience, all the chances”

ShinyHunters has previously claimed breaches at Google, Cisco, Vimeo, Rockstar Games, Instructure, and the European Commission.

The Anodot vector is significant. ShinyHunters has told journalists that stolen Anodot tokens gave them access to analytics infrastructure across multiple large organizations simultaneously, a single point of failure that cascaded into dozens of separate breaches. The gang has also run coordinated vishing campaigns targeting employees’ SSO accounts at Microsoft Entra, Okta, and Google to move laterally into connected SaaS environments.

Inditex has not yet named the compromised provider or attributed the attack to a specific threat actor, despite ShinyHunters having publicly claimed it and released data as proof.

Zara is the flagship fashion brand of Inditex, one of the world’s largest apparel groups. Inditex reported revenue of about €38.6 billion in fiscal 2025 and employs roughly 160,000 people worldwide. Zara operates in more than 90 countries through thousands of stores and online platforms, making it one of the most globally recognized fast-fashion retailers.

Rival retailer Mango disclosed its own data breach last October, after a marketing vendor was hacked and customer data used in promotional campaigns was exposed. In that case, no extortion group has come forward, and the attackers remain unidentified.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

ShinyHunters-linked attackers defaced Canvas portals, disrupting finals week access and exposing SaaS security risks for schools.

The post ShinyHunters Extorts Universities in New Instructure Canvas Hack appeared first on TechRepublic.

Days after confirming a major data breach, Instructure is now facing a second blow.

Earlier this week, Instructure confirmed a major data breach affecting its cloud‑hosted Canvas environment, with the ShinyHunters group claiming it stole hundreds of millions of records tied to thousands of schools and universities worldwide. As discussed in our earlier blog, that incident involved data such as student and staff records, enrollment details, and private messages allegedly accessed through Canvas export features and APIs. At that stage, the focus was on large‑scale data theft and the long‑term risks for affected students and families, including identity fraud and highly targeted phishing.

According to new reporting, ShinyHunters has now hit Instructure again, this time moving from quiet data theft to very visible extortion. Using another vulnerability in Instructure’s systems, the attackers were able to modify Canvas login portals for hundreds of educational institutions, defacing both web logins and the Canvas app with an on‑screen ransom message.

The message both claimed responsibility for the earlier breach and set a deadline of May 12 for Instructure and affected schools to contact the gang or risk the public release of stolen data.

This second wave matters for two reasons. First, it confirms that ShinyHunters still has meaningful access to Instructure’s environment, or at least to components that control the look and behavior of school login pages. Second, it marks a clear escalation in pressure tactics, from leaked claims and dark web posts to messages shown directly to students, parents, and staff trying to access their courses.

How to deal with this data breach

For students and families, the practical advice from our original blog still applies:

• Reset Canvas‑related passwords
• Enable multi‑factor authentication where possible
• Monitor financial and credit activity as children get older
• Stay wary of highly personalized phishing that references real schools, courses, or teachers

For schools and districts, this latest extortion campaign underlines the need to coordinate closely with Instructure, review single sign-on (SSO) integrations, and prepare clear communications so that any future defacements or data leaks do not catch staff and parents by surprise.

---

---

ShinyHunters hackers defaced the official Canvas LMS portal after breaching Instructure systems, disrupting university access worldwide.

An ongoing data extortion attack targeting the widely-used education technology platform Canvas disrupted classes and coursework at school districts and universities across the United States today, after a cybercrime group defaced the service’s login page with a ransom demand that threatened to leak data from 275 million students and faculty across nearly 9,000 educational institutions.

Canvas parent firm Instructure responded to today’s defacement attacks by disabling the platform, which is used by thousands of schools, universities and businesses to manage coursework and assignments, and to communicate with students.

Instructure acknowledged a data breach earlier this week, after the cybercrime group ShinyHunters claimed responsibility and said they would leak data on tens of millions of students and faculty unless paid a ransom. The stated deadline for payment was initially set at May 6, but it was later pushed back to May 12.

In a statement on May 6, Instructure said the investigation so far shows the stolen information includes “certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as as messages among users.” The company said it found no evidence the breached data included more sensitive information, such as passwords, dates of birth, government identifiers or financial information.

The May 6 update stated that Canvas was fully operational, and that Instructure was not seeing any ongoing unauthorized activity on their platform. “At this stage, we believe the incident has been contained,” Instructure wrote.

However, by mid-day on Thursday, May 7, students and faculty at dozens of schools and universities were flooding social media sites with comments saying that a ransom demand from ShinyHunters had replaced the usual Canvas login page. Instructure responded by pulling Canvas offline and replacing the portal with the message, “Canvas is currently undergoing scheduled maintenance. Check back soon.”

“We anticipate being up soon, and will provide updates as soon as possible,” reads the current message on Instructure’s status page.

While the data stolen by ShinyHunters may or may not contain particularly sensitive information (ShinyHunters claims it includes several billion private messages among students and teachers, as well as names, phone numbers and email addresses), this attack could hardly have come at a worse time for Instructure: Many of the affected schools and universities are in the middle of final exams, and a prolonged outage could be highly damaging for the company.

The extortion message that greeted countless Canvas users today advised the affected schools to negotiate their own ransom payments to prevent the publication of their data — regardless of whether Instructure decides to pay.

“ShinyHunters has breached Instructure (again),” the extortion message read. “Instead of contacting us to resolve it they ignored us and did some ‘security patches.'”

A source close to the investigation who was not authorized to speak to the press told KrebsOnSecurity that a number of universities have already approached the cybercrime group about paying. The same source also pointed out that the ShinyHunters data leak blog no longer lists Instructure among its current extortion victims, and that the samples of data stolen from Canvas customers were removed as well. Data extortion groups like ShinyHunters will typically only remove victims from their leak sites after receiving an extortion payment or after a victim agrees to negotiate.

Dipan Mann, founder and CEO of the security firm Cloudskope, slammed Instructure for referring to today’s outage as a “scheduled maintenance” event on its status page. Mann said Shiny Hunters first demonstrated they’d breached Instructure on May 1, prompting Instructure’s Chief Information Security Officer Steve Proud to declare the following day that the incident had been contained. But Mann said today’s attack is at least the third time in the past eight months that Instructure has been breached by ShinyHunters.

In a blog post today, Mann noted that in September 2025, ShinyHunters released thousands of internal University of Pennsylvania files — donor records, internal memos, and other confidential materials — through what the Daily Pennsylvanian and other outlets later determined was, in part, a Canvas/Instructure-mediated access path.

“Penn was the named victim,” Mann wrote. “Instructure was the mechanism. The incident was treated as a Penn-specific story by most of the national press and quietly handled by Instructure as a customer-specific matter. That framing was wrong then. It is dramatically more wrong in light of the May 2026 events, which now look like the planned escalation of an attack pattern that ShinyHunters had been working against Instructure’s environment for at least eight months prior. The September 2025 Penn breach was the proof of concept. The May 1, 2026 incident was the production run. The May 7, 2026 recompromise was ShinyHunters demonstrating publicly that the May 2 ‘containment’ did not happen.”

In February, a ShinyHunters spokesperson told The Daily Pennsylvanian that Penn failed to pay a $1 million ransom demand. On March 5, ShinyHunters published 461 megabytes worth of data stolen from Penn, including thousands of files such as donor records and internal memos.

ShinyHunters is a prolific and fluid cybercriminal group that specializes in data theft and extortion. They typically gain access to companies through voice phishing and social engineering attacks that often involve impersonating IT personnel or other trusted members of a targeted organization.

Last month, ShinyHunters relieved the home security giant ADT of personal information on 5.5 million customers. The extortion group told BleepingComputer they breached the company by compromising an employee’s Okta single sign-on account in a voice phishing attack that enabled access to ADT’s Salesforce instance. BleepingComputer says ShinyHunters recently has taken credit for a number of extortion attacks against high-profile organizations, including Medtronic, Rockstar Games, McGraw Hill, 7-Eleven and the cruise line operator Carnival.

The attack on Canvas customers is just one of several major cybercrime campaigns being launched by ShinyHunters at the moment, said Charles Carmakal, chief technology officer at the Google-owned Mandiant Consulting. Carmakal declined to comment specifically on the Canvas breach, but said “there are multiple concurrent and discrete ShinyHunters intrusion and extortion campaigns happening right now.”

Cloudskope’s Mann said what happens next depends largely on whether Instructure’s customers — the universities, K-12 districts, and education ministries paying for Canvas — choose to apply pressure or absorb the breach quietly.

“The history of education-vendor incidents suggests the path of least resistance is the second one,” he concluded.

Update, May 8, 11:05 a.m. ET: Instructure has published an incident update page that includes more information about the breach. Instructure said its Canvas portal is functioning normally again, and that the hackers exploited an issue related to Free-for-Teacher accounts.

“This is the same issue that led to the unauthorized access the prior week,” Instructure wrote. “As a result, we have made the difficult decision to temporarily shut down Free-for-Teacher accounts. These accounts have been a core part of our platform, and we’re committed to resolving the issues with these accounts.”

Instructure said affected organizations were notified on May 6.

“If your organization is affected, Instructure will contact your organization’s primary contacts directly,” the update states. “Please don’t rely on third-party lists or social media posts naming potentially affected organizations as those lists aren’t verified. Instructure will confirm validated information through direct outreach to all affected organizations.”

ShinyHunters breached Instructure and Vimeo, exposing millions of student and user records through direct and supply chain attacks.

Hackers stole data of 119,000 Vimeo users in April. The breach, linked to a third‑party vendor, exposed personal details.

Vimeo confirmed a data breach after the ShinyHunters gang stole personal information of 119,000 users in April 2026. According to Have I Been Pwned, the attackers accessed user data through a compromise at Anodot, a third‑party analytics vendor.

“In April 2026, the ShinyHunters extortion group listed Vimeo on their extortion portal as part of their “pay or leak” campaign. They subsequently published hundreds of gigabytes of data, predominantly consisting of video titles, technical data and metadata.” reported Have I Been Pwned.”The data also included 119k unique email addresses, sometimes accompanied by names. Vimeo attributed the exposure to a breach of Anodot, a third-party analytics vendor, and advised the incident does not include “Vimeo video content, valid user login credentials, or payment card information”.”

Vimeo confirmed that the security incident is linked to a breach at Anodot. An unauthorized actor accessed some Vimeo user and customer data, mainly technical information, video titles, metadata, and in some cases email addresses.

“Vimeo is aware of a security incident affecting Anodot, a third-party analytics vendor used by Vimeo and many other companies. The Google Threat Intelligence report associated with the unauthorized actor claiming responsibility for the Anodot incident can be found at this link.” reads the notice on the security incident published by the company.

We have identified that, as a result of the Anodot breach, an unauthorized actor accessed certain Vimeo user and customer data. Our initial findings suggest that the databases accessed primarily contain technical data, video titles and metadata, and, in some cases, customer email addresses.”

The company said no video content, login credentials, or payment data were exposed, and services were not disrupted. In response, Vimeo disabled Anodot access, removed the integration, engaged external security experts, and notified law enforcement.

The investigation is still ongoing, and updates will be shared as more details emerge.

After Vimeo’s disclosure, the ShinyHunters cybercrime group leaked a 106GB archive of stolen documents on its Tor data leak site.

ShinyHunters is a well-known name in the cybercriminal ecosystem. The group is associated with a broader loosely connected network often referred to as “the Com,” made up largely of young, English-speaking individuals. Their operations typically focus on stealing data from large organizations and using leak sites to pressure victims into paying ransoms in cryptocurrency.

ShinyHunters has recently targeted major companies and organizations, leaking data when ransom demands fail. Victims include the European Commission, Odido, Figure, Canada Goose, Rockstar, and SoundCloud. The group primarily uses social engineering, especially voice phishing, to steal credentials and access SaaS platforms like Salesforce, Okta, and Microsoft 365. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Vimeo)

Instructure, maker of the Canvas learning platform, is investigating a cyber incident that exposed users’ personal data.

Instructure is a U.S.-based educational technology company best known for developing Canvas, one of the world’s most widely used learning management systems (LMS). 

The U.S. firm confirrmed a cybersecurity incident that exposed users’ personal information. The company is working with external cybersecurity experts and law enforcement to investigate the breach. Canvas is widely used by schools and universities to manage courses, assignments, and online learning, raising concerns about student and staff data security.

The company says the security incident appears to be contained while investigations continue. Instructure revoked privileged credentials and access tokens, deployed security patches, rotated some keys as a precaution, and increased monitoring across systems.

“Out of an abundance of caution, we rotated certain keys, even though there is no evidence they were misused – Implemented increased monitoring across all platforms.” reads the Incident Report. “While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users. At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.”

So far, the exposed data likely includes user identifiers such as names, email addresses, student ID numbers, and some user messages. The company states that there is currently no evidence that passwords, dates of birth, government IDs, or financial data were affected.

The educational technology firm continues to monitor the situation and will notify institutions if new findings emerge, while updating its status page and working to strengthen system security.

Instructure did not share details about the attack, however, the ShinyHunters extortion group claimed responsibility for the attack and added the company to its Tor data leak site.

“Nearly 9,000 schools worldwide affected. 275 million individuals data ranging from students, teachers, and other staff containing PII. Several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other PII. Your Salesforce instance was also breached and a lot more other data is involved. Pay or Leak.” the group wrote on its leak site. “This is a final warning to reach out by 6 May 2026 before we leak along with several annoying (digital) problems that’ll come your way. Make the right decision, don’t be the next headline.,” reads the data leak site.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

A Canvas cybersecurity incident has disrupted services at Instructure, the company behind the widely used Canvas platform, raising concerns among educational institutions over potential data exposure and service interruptions. The Canvas cybersecurity incident first came to light late Friday, when Instructure disclosed that it had detected unauthorized activity linked to a cyberattack. The company said it immediately launched an investigation with the support of external forensic experts to determine the scope and impact. By Saturday, Chief Information Security Officer Steve Proud confirmed that attackers had gained access to certain user data from some institutions. The exposed information includes names, email addresses, student identification numbers, and messages exchanged within the platform. Proud emphasized that the incident has been contained. He added that the response involved revoking privileged credentials and access tokens, deploying security patches, and increasing system-wide monitoring. However, some of these defensive measures led to temporary disruptions in services, particularly tools dependent on API keys.

Canvas Cybersecurity Incident: No Financial or Sensitive Identity Data Compromised

Despite the data breach, Instructure stated that there is currently no evidence that highly sensitive data such as passwords, financial information, government identifiers, or dates of birth were accessed. The company noted it will notify affected institutions if any new findings emerge. Canvas is used extensively by schools, universities, and enterprises to manage coursework, host educational content, and facilitate communication between students and educators. The scale of its usage has amplified concerns around the potential reach of the incident.

ShinyHunters Claims Large-Scale Data Theft

The cybercriminal group ShinyHunters claimed responsibility for the attack on Sunday, alleging it had stolen 3.6 terabytes of data affecting more than 9,000 schools. These claims have not been independently verified, and Instructure has not publicly responded to the group’s assertions. [caption id="attachment_111847" align="aligncenter" width="657"] Source: X[/caption] Such claims, if validated, could significantly expand the scope of the Canvas cybersecurity incident beyond initial disclosures. For now, the company maintains that its investigation is ongoing.

Ongoing Maintenance and Service Restoration Efforts

Instructure has been providing regular updates as it works to stabilize systems affected by the Canvas cybersecurity incident. As of May 5, Canvas Data 2 and Beta services have largely been restored, while the Test environment remains under maintenance. Earlier updates indicated that some users experienced disruptions due to reissued application keys, a precautionary measure taken to enhance security. Users were required to re-authorize access to certain tools, with updated keys identifiable by timestamps. The company also confirmed that it rotated certain keys even without evidence of misuse, reflecting a cautious approach to securing its infrastructure.

Continued Monitoring as Investigation Proceeds

The investigation into the Canvas cybersecurity incident remains active, with Instructure continuing to monitor its systems and assess potential risks. The company has reiterated its commitment to transparency and stated that updates will be shared as new information becomes available. For institutions relying on Canvas, the incident highlights the operational impact of cybersecurity threats on critical education platforms. While services are gradually being restored, the focus now shifts to understanding the full extent of the breach and preventing similar incidents in the future.

The video platform Vimeo confirmed a security breach via Anodot that exposed metadata, video titles, and some user emails.

Vimeo said some user data was accessed after a breach at Anodot. Anodot is a company that provides AI-driven data analytics and anomaly detection tools.

Most of the exposed information includes technical data, video titles, and metadata, while some customer email addresses were also affected. Vimeo says the incident did not expose user-uploaded videos, login credentials, or payment card data, and its platform continues to operate normally without disruption.

Vimeo noted the incident came from a third-party breach.

“Vimeo is aware of a security incident affecting Anodot, a third-party analytics vendor used by Vimeo and many other companies.” reads the notice published by Vimeo. “We have identified that, as a result of the Anodot breach, an unauthorized actor accessed certain Vimeo user and customer data. Our initial findings suggest that the databases accessed primarily contain technical data, video titles and metadata, and, in some cases, customer email addresses.”

In response to the incident, the company disabled all Anodot credentials and removed its integration with the service to stop further access. Vimeo notified law enforcement and is still investigating the incident with the help of external security experts.

Hackers from the extortion group ShinyHunters claimed the Vimeo breach and threaten to leak stolen data by April 30 if the company refuses to pay a ransom. They also warn Vimeo about possible “digital problems” if demands go unmet.

“Your Snowflake and Bigquery instances data was compromised thanks to Anodot.com. Pay or Leak.” reads the announcement published by ShinyHunters on its Tor data leak site. “This is a final warning to reach out by 30 Apr 2026 before we leak along with several annoying (digital) problems that’ll come your way. Make the right decision, don’t be the next headline.”

The attackers say they accessed data from Vimeo’s Snowflake and BigQuery environments. They also list the company on their leak site as part of their pressure campaign against the organization.

Attackers linked to the ShinyHunters group stole authentication tokens from Anodot and used them to access customer cloud environments, mainly Snowflake, to extract data from several organizations. The group now tries to monetize the breach through extortion and leak threats.

They also claim they took more than 78.6 million records from game studio Rockstar Games, though they have not confirmed the exact amount of data taken from Vimeo.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ShinyHunters)

ASEC Blog publishes Ransom & Dark Web Issues Week 5, April 2026           Emergence of a new ransomware group, M3RX Data from a South Korean religious organization sold on DarkForums ShinyHunters claims a data leak from a US interactive media company

ADT confirmed a data breach exposing customer names, addresses, phone numbers, and partial SSNs, with millions of records reportedly affected.

The post ADT Confirms Major Data Breach Exposing Millions of Names, Partial SSNs appeared first on TechRepublic.

Medtronic confirmed a breach of its IT systems after ShinyHunters claimed the theft of over 9 million records.

Medtronic confirmed a cyberattack on its corporate IT systems after the hacker group ShinyHunters claimed to have stolen over 9 million records. The company did not share details on the security breach.

Medtronic is an international medical equipment giant with 90,000 employees and operations in 150 countries. It is the largest medical device maker in the world by revenue ($33.5 billion) and also develops healthcare technologies and therapies.

Medtronic said an unauthorized party accessed data in some corporate IT systems. It found no impact on products, patient safety, operations, financial systems, or care delivery. The company noted its IT, product, and manufacturing networks are separate, and hospital networks remain independently managed and secure.

“Medtronic has determined that an unauthorized party accessed data in certain Medtronic corporate IT systems. We have not identified any impact to our products, patient safety, connections to our customers, our manufacturing and distribution operations, our financial reporting systems or our ability to meet patient needs.” reads the press release published by the company. “The networks that support our corporate IT systems, our products and our manufacturing and distribution operations are separate. Hospital customer networks remain separate from Medtronic IT networks and are secured and managed by customers’ IT teams.”

Medtronic states it had contained the breach and activated incident response with the help of external cybersecurity experts. It’s assessing if personal data was exposed and will notify affected individuals, offering them support.

On April 18, ShinyHunters added the company to its Tor data leak site, claiming the theft of over 9 million records, including personal data and internal files. Initially, the group threatened to leak the data if the ransom was not paid by April 21, but the listing has since disappeared. The company is investigating and says it will notify and support affected individuals if data exposure is confirmed.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, data breach)

ShinyHunters has leaked data linked to Udemy, Zara, and 7-Eleven, with claims of exposed Salesforce records and cloud-based systems.

ASEC Blog publishes Ransom & Dark Web Issues Week 4, April 2026           ShinyHunters Claims Data Breach Involving Major U.S. Convenience Store Chain ShinyHunters Claims Theft of Internal Data and Source Code from U.S. Software Development Firm Emergence of New Data Extortion Group: Prinz Eugen

Amtrak data breach exposes over 2.1 million customer records after CRM access. Learn what was leaked, risks, and steps users and IT teams should take now.

The post Amtrak Data Breach Exposes 2.1M Records, Reports Suggest Larger Leak appeared first on TechRepublic.

Vercel confirms a breach linked to Context.ai as a hacker lists alleged data for $2M. ShinyHunters denies involvement and flags imposters.

McGraw-Hill confirms a data exposure tied to a Salesforce misconfiguration as hackers claim 45M records, raising concerns over SaaS security risks.

The post McGraw-Hill Confirms Data Exposure, Hackers Claim 45M Salesforce Records Leaked appeared first on TechRepublic.

ShinyHunters hackers leak 7.54 GB of Rockstar Games data from Snowflake analytics systems, confirming no player records or personal information were exposed.

Leak of 8.1GB data tied to Rockstar Games includes anti-cheat code, game data, analytics and more, reportedly exposed by ShinyHunters.

An 8.1GB data leak reportedly linked to Rockstar Games has surfaced, with files shared by ShinyHunters after being obtained via Anodot. The dataset includes anti-cheat source code, player analytics, game assets, Zendesk support tickets and financial information.

BREAKING: Rockstar Games breach data obtained through Anodot has been leaked by ShinyHunters.

The files total 8.1GB and contain anti-cheat source code, player analytics, game data, Zendesk ticket feeds, financial data and more.

A thread analyzing what has been leaked… pic.twitter.com/qi8cOXJOnL

— International Cyber Digest (@IntCyberDigest) April 13, 2026

Rockstar Games, one of the major companies in the video game industry, known for popular titles like Grand Theft Auto.

The cybercrime group claims they managed to access Rockstar-related systems hosted through a third-party cloud provider. The group alleges that sensitive internal data was exfiltrated and threatened to publish it.

The group attempted to pressure the company with public posts suggesting that failure to comply would result in both data leaks and further “digital disruption.”

Rockstar Games, however, has publicly minimized the impact of the incident. In its statement, the company indicated that only a limited amount of non-sensitive corporate information was accessed and emphasized that neither its operations nor its player community were affected.

“We can confirm that a limited amount of non-material company information was accessed in connection with a third-party data breach,” a Rockstar Games spokesperson told BBC.

The firm’s response suggests that, at least from its perspective, the breach did not compromise core systems or player-facing services.

Security researchers note that groups like ShinyHunters have increasingly focused on exploiting third-party cloud environments rather than directly attacking corporate infrastructure. This approach allows attackers to bypass stronger internal defenses by targeting external service providers with weaker security postures or misconfigurations.

The incident marks the second major security event involving the company in just a few years, highlighting how high-profile gaming studios remain attractive targets for data theft and extortion schemes.

In a previous incident in 2022–2023, a hacker affiliated with the Lapsus$ collective gained access to internal systems and leaked early development footage of Grand Theft Auto VI. That breach resulted in significant operational disruption and forced the company to adjust its communication strategy around one of its most secretive projects.

The financial and reputational implications of such incidents are substantial. Beyond direct recovery costs, companies often face delays in development, increased security investments, and intensified scrutiny from both regulators and the public. In the case of Rockstar, the stakes are even higher due to the secrecy surrounding upcoming releases and the enormous expectations tied to its flagship titles.

As investigations continue, the Rockstar breach serves as another reminder of the evolving threat landscape facing major digital entertainment companies. In an era where cloud infrastructure, third-party vendors, and remote access systems are deeply integrated into business operations, securing the full supply chain has become as critical as protecting internal networks.

ShinyHunters is a well-known name in the cybercriminal ecosystem. The group is associated with a broader loosely connected network often referred to as “the Com,” made up largely of young, English-speaking individuals. Their operations typically focus on stealing data from large organizations and using leak sites to pressure victims into paying ransoms in cryptocurrency.

ShinyHunters has recently targeted major companies and organizations, leaking data when ransom demands fail. Victims include the European Commission, Odido, Figure, Canada Goose, and SoundCloud. The group primarily uses social engineering, especially voice phishing, to steal credentials and access SaaS platforms like Salesforce, Okta, and Microsoft 365. 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Rockstar Games)