Zoosk, ChatBooks, and Styleshare Are Among the 11 Large Companies That Leaked 164 Million Records

Shiny Hunters Hacking Spree

Hackers know very well that what they do is illegal, and they obviously don't want to get caught. At the same time, however, they are a proud bunch, and for many of them, building a reputation and earning the respect of other cybercriminals is just as important as staying out of the police's reach. What better way of building a reputation than by compromising close to a dozen online services and stealing more than 160 million records?

Shiny Hunters are trying to make a name for themselves

A new group of cybercriminals is trying to draw some attention to itself, and it appears to be doing a good job. The collective is called Shiny Hunters, and they are in the business of compromising online services and stealing people's personal data. Over the last few weeks, they have announced successful attacks against a number of different organizations, and people are starting to mention them more and more often.

It all started at the beginning of the month when Shiny Hunters released the data stolen from Tokopedia, one of the largest ecommerce platforms in Indonesia. According to Alexa, Tokopedia is in the Top 10 most popular websites in the Asian country, so the high number of affected users (90 million) shouldn't surprise you.

Several days later, cybersecurity intelligence experts announced that Shiny Hunters had hit Unacademy, another relatively popular online service. Backed by Facebook, Unacademy is one of the largest online education platforms in India, and although the breach wasn't as big as Tokopedia's, at 22 million, the number of compromised records is still pretty significant.

Seeing how active it is, the experts knew that Shiny Hunters could turn out to be a hacking group to be reckoned with, and they started paying close attention to the criminals' actions. Sure enough, they didn't need to wait long for the hackers to show up again.

Shiny Hunters claim responsibility for at least ten other data breaches

Cyble researchers told Bleeping Computer that in addition to Tokopedia and Unacademy, Shiny Hunters claim to be in possession of records stolen from at least ten other online services. Here's the list:

  • 30 million records from Zooks, an online dating site
  • 15 million records from ChatBooks, an online shop specializing in photo books
  • 8 million records from Homechef, a food delivery company
  • 6 million records from Styleshare, a social network for fashion-conscious users
  • 5 million records from Minted, an ecommerce platform for independent artists
  • 3 million records from The Chronicle of Higher Education, a news website
  • 2 million records from Ggumim, a Korean online store
  • 2 million records from Mindful, an online magazine
  • 1.2 million records from Bhinneka, an online store
  • 1 million records from Star Tribune, a news outlet

In addition to the organizations listed above, Shiny Hunters also claim to have hit Microsoft. Instead of user data, however, they apparently siphoned off files and source code held in the software giant's private GitHub repositories.

Of all the companies listed above, only ChatBooks has admitted that it has suffered a breach, which means that it's difficult to estimate how dangerous the pilfered data could be. What becomes pretty clear from the hacking spree, however, is that Shiny Hunters are indiscriminately hitting online services of all shapes and sizes. They're not doing it just to show their hacking prowess, either.

Shiny Hunters are trying to monetize the stolen information

The experts first noticed Shiny Hunters after the hackers put the Unacademy and Tokopedia data dumps for sale on the dark web. Not surprisingly, they are also trying to make some money out of the data listed above.

All the newly stolen dumps can be bought separately at prices ranging from $500 to $3,500, and cybercriminals with some spare cash in their pocket can also bundle them with the Tokopedia data and get all 164 million records for a total of $23,100.

This is a pretty low price, which might suggest that like Tokopedia and Unacademy, the rest of the affected services have also hashed users' passwords, though the lack of official information means that we can't be sure. Out of an abundance of caution, users who have signed up for any of the listed websites are advised to change their passwords and make sure they use unique login credentials for all their accounts. In the meantime, security experts will continue to monitor the situation and will wait for Shiny Hunters' next move.

May 12, 2020

Leave a Reply