.png)
Privacy Please
Welcome to "Privacy Please," a podcast for anyone who wants to know more about data privacy and security. Join your hosts Cam and Gabe as they talk to experts, academics, authors, and activists to break down complex privacy topics in a way that's easy to understand.
In today's connected world, our personal information is constantly being collected, analyzed, and sometimes exploited. We believe everyone has a right to understand how their data is being used and what they can do to protect their privacy.
Please subscribe and help us reach more people!
This podcast is part of The Problem Lounge network — conversations about the problems shaping our world, from digital privacy to everyday life.
Privacy Please
S7, E273 - Inside Shiny Hunters And The New Era Of SaaS Breaches
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Gabe and I dig into Shiny Hunters and why the scariest cyberattacks now look like ordinary logins instead of dramatic break-ins. We map how credential theft, social engineering, and SaaS data exports turn basic security hygiene into the difference between a close call and a headline.
• Shiny Hunters’ scale, loose structure, and why takedowns rarely stick
• Why ransomware and extortion keep growing as a business model
• How the tactics evolve from Microsoft 365 and developer creds to SaaS platforms like Salesforce
• Credential stuffing, vishing, and smishing as “low-friction” intrusion paths
• The Snowflake-style failure mode of missing MFA and weak password practices
• Password reuse and how consumer breaches can cascade into enterprise access
• Data retention and why old records increase privacy risk
• Vendor risk and the shared responsibility model for identity and data
• Practical steps that improve security without relying on perfect users
If you guys have not been to our website, theproblemlounge.com, check it out. Got some new blogs up there. Sign up for the newsletter. Support us, follow us. Let’s get this out to more people.
Hackers Who Simply Log In
SPEAKER_01Imagine a world where hackers don't just break in. They simply log in. Today, we're diving into the shadowy realm of shiny hunters, a group that's breached over 400 companies and exposed over a billion people. Stay tuned as we unravel their tactics and explore the ever-evolving landscape of cyber threats. This is Privacy Please.
Welcome Back And Website Updates
SPEAKER_01Along with me is Gabe Gums. Man, it's been a while. Gabe, Gabe, Gabe, Gabe.
SPEAKER_00Game, Gabe, Cam, Cam, Cam, Cam, Cam. It's been a while since we've been in the studio, but but we've been we've actually been working a lot more together recently. We have, yeah. It's always fun. It's always fun. So it is fun. I enjoy it. Time to get back in the lab and say hello to our uh our listeners out there.
SPEAKER_01Say hello to the people, Gabe. It's been a while since they've heard your voice. Hello, people.
SPEAKER_00It's not been that long since they've they've uh they've consumed some of uh my random musings, though. So we got some new blog posts on the wire, as always. So yeah, you know, folks aren't checking out the website, still go to theproblemlounge.com. We got a several new blog posts up there. Definitely go hit that stuff up. And uh as always, you know, Cam holds down the fort in my absence. Here there's some new episodes out there as well, too.
SPEAKER_01Oh, yeah.
Who Shiny Hunters Really Are
SPEAKER_01Specifically, I've been doing a lot of um, you know, investigative journalism and it's been interesting digging into some of these breaches, but specifically today, we wanted to kind of talk about who's been involved with a lot of those breaches, which is Shiny Hunters. It's pretty uh fascinating. So, just real quickly, if you're not familiar, who's listening, they have breached over 400 companies total, uh, over a billion people exposed, arrested multiple times in multiple countries. They're still operating today. Uh, their name is Shiny Hunters, and that's what we're gonna kind of dig into and uh just chat about. Gabe, what do you know about Shiny Hunters in general when that name comes up?
SPEAKER_00Well, first I think about how much ransomware and ransom gangs have changed and continue to evolve. And my first thought is man, it it's never gonna stop. It just it won't. Like that that cat has been let out of the bag and it's financially lucrative. And so, you know, it's like like many other forms of crime. Once uh, once these patterns are established and there's an on-ramp and an off-ramp for them, they'll they're gonna continue. You know, in the security world, we've been fighting this scourge forever. And uh, you know, for those that haven't really internalized it yet, you should do that right now. Like let this be the moment where you internalize that ransomware is never going away. So Shiny Hunters has been making a lot of news recently, but you know, it's believed that they were formed way back in 2019, way back in in internet years, that's a long time. They were formed dark web forums. Yeah. Yeah. Uh and it's actually not just kind of one single monolithic gang either. Like it it appears that it's a a loose overlapping group of of cells, right? You know, yeah. I think the way anonymous operated only instead of hacktivism, it's straight up hacking for profit.
SPEAKER_01But uh I think that's like their only motivation, which makes sense. Financial motivation.
SPEAKER_00It's totally, totally the only motivation. They they haven't shown any signs of being hacktivists, they don't seem to have any cause, they have one singular cause get rich or die trying. That's it.
SPEAKER_01So, to that point, I want to kind of ask you a question. And this is uh, so when you see a group like this that's structured the way that they have, what does that tell you about how hard they are to take down?
SPEAKER_00Pretty difficult because they're so loosely organized. It's almost impossible to know if you've even taken them down once you start taking them down. Um, you know, look, 2019 they've been around, and other large ransomware gangs have been taken down and taken offline. These guys are still operating, and they're not just still operating, they're they're getting bigger and bolder. They're going after larger targets, bigger payloads, bigger payouts. Their name has been in the news a lot recently because of that, right?
Their Shift Toward Bigger Targets
SPEAKER_00Like, so very early on, you know, 2020, they were largely using like Microsoft 365, looking for stored GitHub credentials and then targeting developers inside of companies, right? Yeah, um, they then shifted to more social engineering um and voice phishing, uh, which has only gotten easier with generative AI. And so they would pose as a help desk person and trick employees into sharing passwords or MFA tokens, MFA codes. But now they're targeting uh large platforms like Salesforce so that they can gather large amounts of data in one uh attack. Yeah, right. Um and so now they're they're exporting, you know, enterprise cloud applications and you know, not just the classic ransomware uh attacks. And what's interesting about that particular attack path also is the number of organizations I speak to that don't think that they have to protect their SaaS applications the way they protect the rest of their data is far too high. It's way, way too high. They see it as Salesforce's problem. Yeah. You know, the problem with that thinking though is once your data is attacked and leaked out of Salesforce, it doesn't matter whose problem you think it is, now it's your problem. Yeah. Congratulations, it's a boy.
SPEAKER_01It's interesting. I I'm looking at what you're talking about. Um the Salesforce targeted, that was kind of in their phase three. So they apparently have three phases. So in 2020 through 2023, they this was phase one where they buy stolen credentials from underground markets, they hit exposed databases, dump or sell the data, and then they scale fast because the supply of bad credentials online is basically unlimited. And then phase two in 2024 was the snow fill the snowflake campaign.
SPEAKER_00Yes.
SPEAKER_01Um, and then phase three, which is recent, like the past year, which is the SaaS industrial scale. So that's Salesforce. That's where they've hit three to four hundred companies um just by March of 2026.
SPEAKER_00Yeah. And there's a saying in in uh in the security world, hackers don't break in, they log in. That's what they've been doing.
SPEAKER_01Well, yeah, that I mean they're going in the back door. They're they're basically um, let's say a company doesn't update something, that's how they get in. They they take advantage of, you know, when something's not been updated.
SPEAKER_00Buying credentials on the dark web, and then it's called credential stuffing, right? So they'll just iterate through as many as they can, as quickly as they can, and just keep trying a bunch of different accounts and password combinations until they get in. Um, and they can do this at at massive scale without getting caught quite easily. Because again, what what are you looking for here? You're not looking for someone just breaching or breaking into something. You're looking for just logging into something. How many people log into Salesforce every day, legitimately? Millions. Millions. So, you know, you're you're looking for an activity that may not look benign. Apologies, you're looking for an activity that does look benign, it does not necessarily look harmful.
SPEAKER_01Right. So
Snowflake And The MFA Blind Spot
SPEAKER_01let me ask you this, Gabe. If you're let's say that you're, let's take the Snowflake campaign for an example. Let's say you're in on the leadership team or wherever a company that size that still had no multi-factor authentication on accounts holding that much data. How does something like that happen at a company like that? What what are the conversations you think look like internally when something like that happens?
SPEAKER_00Well, before it happens, the conversations quite likely look like that might be a thing that we should do. We maybe want to do it and they haven't gotten around to it. Right. It might look like something they just hadn't considered or thought about, unfortunately. Um, because you know, passwords, like it's password protected, right? Like you have to log in, and passwords are just not secure, period. First off, right? They're just not secure. That's why we move to pass keys and tokens and every every other number of identity and access management control that there is. Um after it happens, I'm certain a lot of those conversations look like how the hell did this happen?
unknownRight.
SPEAKER_00And it's like, well, they they got our credentials. Well, how the hell did they get our credentials? Well, someone didn't update them in way too long, someone didn't rotate them in way too long. You know, someone is reusing them across the same organization. They're using the same weak password for multiple things. And so one small breach may lead to a big breach, right?
Password Reuse Meets Pornhub Data
SPEAKER_00So you recently reported on the Pornhub breach. Right. There's a high likelihood that the password that some of those people use for their porn activity is the same password they're using to log into their business. It's true. It's true.
SPEAKER_01Yeah.
SPEAKER_00It's true. Good point. So, you know, you target other play, shouldn't say targeting something like Pornhub is actually easy to target in uh uh an enterprise. In fact, it's often a bit more difficult. Um it has been since forever that a lot of a lot of uh pornography uh in the digital world has actually led the way in a lot of adoption of other technologies. They were some of the first to use video online, some of the first to bring video online in at scale, and then streaming video at scale and and protecting users. Like this is a place that has always pushed technology forward, always pushed technology forward at a pace a little bit faster than enterprise. And uh so that's what some of those conversations look like.
SPEAKER_01Yeah, I mean, going back to the Pornhub thing, it's um it's interesting because from my memory, um, it wasn't they didn't get through Pornhub, they got through the third-party company that they part that Pornhub partners with that reads it basically takes the it's not just personal information, it's it's behavioral data. So they're they they they hacked into the company that tracks the behavioral data, which is probably the most important thing for something like Pornhub because that's how it pushes it to those people. So um, yeah, it's it's uh it's fascinating because now obviously Pornhub's like, well, this is your fault. And then the other company's like, Well, no, it's not because this is data from 2001. Why do you still have this data?
SPEAKER_00Yeah.
SPEAKER_01And it's not even an active account. That's like the hack that, and then that's the other conversation, Gabe, is why are why are companies allowed, why is there no law that companies can just hold on to data, especially from accounts that aren't even active anymore? That's a problem too, right? I mean, because then we just have so much data out there that just shouldn't even exist inside of a company for this type of reason.
SPEAKER_00There's a lot of laws around how long you have to hold different types of data. You're right. There's no laws around that you should get rid of data after certain periods of time. Um I don't know if legislation is necessarily the the answer to that problem. Because look, all of those companies were they were all compliant, right? Like they were they were following all the rules and and they they were doing all of the right things, but oh, even the snowflake example, right? Like the Snowflake breach, you really can't blame Snowflake. Those were people that didn't update their passwords, period. Full stop. So, you know, credential stuffing into the Snowflake environment, you could argue, well, Snowflake should have did a better job of protecting against the credential, the act of stuffing the credentials in there in the first place.
SPEAKER_01Yeah.
SPEAKER_00Whose responsibility is it to not be reusing bad, weak passwords across hell, even strong passwords, reusing them across different uh different services, right? No, there is no one control that says, or one governing body or anything that says, hey, you should get rid of data. It's quite the opposite, it's quite perverse. Um, look at the uh look at the backup and recovery market, right? It is a multi-billion dollar market, billions and billions of dollars. The largest backup vendor out there, Veeam, they have revenues reoccurring annually, revenues, if I'm not mistaken, well north of $2 billion. Maybe it's right around there, but let's just call it $2 billion to be safe, because I'm certain it's not less than $2 billion. That's just one company, and their entire function is to help you keep your data around for longer, right? Which is a very useful thing, right? Because you might need it for any number of reasons. Something bad might happen and you have to recover that data. You might need it for litigation. You might have to keep it because of regulation. There's a lot of regulation that says you have to keep it. HIPAA says you have to, uh, FERPA says like lots of regulatory bodies say you have to keep this data for this much time. So the challenge is if we are gonna have to keep data, well, how do we keep it and protect it?
SPEAKER_01Right. It's um well to that to that point, like so. Going
Vendor Risk And Shared Responsibility
SPEAKER_01back to supply chain attack, so question for you, Gabe. Your your security is only as good as your vendors. Is that like a common statement? Like, do you actually manage that risk? Or how do you manage that risk?
SPEAKER_00Is there even a way there's there's ways at which we attempt to do so, right? So you know things like SOP2 are an attempt to for organizations to demonstrate, hey, we follow these practices, and so these practices should in practice, pun intended, lead us to being more secure. Um and when and like public companies and banks, uh, they have explicit rules stating that they have to, before they engage with business with another organization, there's a vetting process that they have to put them through to make sure that their data is safe. So, you know, I can argue that people are making a best faith effort at it, but they have to still trust that the people they're engaging with are doing the right things. And it is a true statement that your security is only as good as the vendors that you trust with your data as well. Yeah. This goes back to what I was saying just a few minutes ago. You know, there's a I there's a lot of companies that entrust their data to SaaS platforms of all types, right?
SPEAKER_01Yeah.
SPEAKER_00From ones to manage their HR and payroll to ones that manage their code to ones that manage their their customer relationships. And you don't just get to relinquish your responsibility for protection of data because it's in Salesforce, it's Salesforce's problem. No. In fact, it's it's long been codified, the the shared responsibility model, as we call it, right? Like identity and data are the two items in that shared responsibility model that you cannot give up. They're always yours. They're always yours, they're always your problem. You don't get to, you don't get to pawn that off into someone else. And I know zero SaaS platforms that take on that liability.
SPEAKER_01Yeah. It's
Smishing And Canvas Hit Twice
SPEAKER_01interesting. They seem very calculated too, with the thing the the companies that they're hitting. I mean, they hit so mixpanel was that third-party company, if you're familiar with it. Right. That's right. So, yeah, mixed panel and pornhob. Mix it, they did a smishing attack against mixed panel's employees. That's how they kind of got in. And they got 200 million records. Share if you would for our listeners, what smishing is again, please. Um, it's it's either where it's not it's not through emails, through text messages, right? Correct. Yeah.
SPEAKER_00SMS, right? Like that's the the SM, the smishing is as opposed to uh emailing. Yes. So they send them text messages.
SPEAKER_01All right, look at me. I know things. You know things. Um so to kind of wrap things up, because I know we're coming up on time here. Um this was uh the other thing was um the other software, just before we go to the last section, was Canvas. That was the one where they actually hit them twice. They um they did a second breach within eight months. They did one in September. The company said they fixed it, and then they didn't, so Shiny Hunters came back and got more, which was like, I guess they I think they did something, I don't know if it was them, but someone they tried to like offer a $20 million reward, which was interesting. But they basically shiny hunters just asked for more and they got more on the second try. Um, but anyways, it's it's you know, six years that they've been doing this, hundreds of breaches, over a billion people. Um whoever Shiny Corp really is has never really been identified, charged, or arrested, which is crazy, but that's that's how it
The Hygiene Rules That Matter
SPEAKER_01is. That's yeah.
SPEAKER_00Um here's the primary takeaway for our listeners. Primary takeaway for our listeners. Whether you are an enterprise or an individual, using someone else's services does not guarantee that your data is safe, right? You still have to take the proper steps to make sure that your data is safe. Because a lot of these attacks, again, they're they're literally logging into to accounts. They're not, they're not even breaking into the infrastructure, they're just logging into accounts. Make sure you have good hygiene around those things. Things like smishing, phish, uh, you know, all of the the the ways in which it is it has been evolving and changing, it is going to require uh constant user education, and it's tough. You can't expect all of your users to always be on guard and to be security experts, but they are one of the weakest links. Your partners are one of the weakest links, and there's humans too.
SPEAKER_01Yeah. They're not going after firewalls, they're going after the easy relationships between your SaaS tools. That's right. Well said. Well said. Um, okay, cool.
Upcoming Guests And AI Storage Costs
SPEAKER_01Well, that's that's a little bit, I mean, that's kind of for this episode. Is there anything else um we want to talk about for the website for future episodes? We do have some good guests that are lining up.
SPEAKER_00What do we got?
SPEAKER_01What do we got? What do we ask? Um, I got someone for coming up in a couple weeks. Um Shane Coker. Um it's he's at a privacy company, um, Osana. Right, right. Um, really looking forward to having him on.
SPEAKER_00Um Osana's been doing good work for a while now. They've been uh they've been out there. Wow, yeah, yeah. Big fans, big fans. Looking forward to having Shane on.
SPEAKER_01Yeah. I think um we're we're working to get, I don't know if we want to disclose anybody else right now, but I know we have another one we're putting together with um talking about Gal? With Gal, yeah.
SPEAKER_00Gal. Gal Gal is uh Gal is the CEO of Store One. Uh that's gonna be an interesting conversation. The the price of of uh memory and storage has been skyrocketing, and they're working on some very interesting uh technology um that is uh it's it's not specifically in the privacy space. Um, and their entry into the security space is actually in collaboration with Myota, which is interesting. But Gal's been around the technology block for a while. He he's gonna be joining us to talk about how he's watched, especially AI in particular, change the shape of the economics and and such as it pertains to a commodity that most of us don't even think about in the technology world, just good old-fashioned storage. But if you've tried to buy a hard drive recently or any memory, you know it's up. Or if you try to buy a laptop or a desktop recently, you know, you you you know it's up because you've seen the prices be affected by these things. Yeah, it's yeah, driven by the AI boom. The AI boom, while it's brought us lots of good things, it's bringing us some increased prices. Yeah.
SPEAKER_01Yeah. It's been interesting. And a lot of a lot of big tech layoffs too. Oh yeah. Oh yeah. Which is an it's an interesting angle because you can think about it like if you're a company that states you know these layoffs are due to AI, but if you don't do layoffs and and relate them to AI, then are you behind? Are you a company that's behind? Like, I don't know. That's a different competition.
SPEAKER_00At least behind blaming it AI, blaming it on AI, I guess. At a bare minimum, you're missing the boat on uh easy scapegoat.
SPEAKER_01Yeah. Well, that
Newsletter, Conferences, And Farewell
SPEAKER_01that can be a uh podcast on its own, but um, anyways, if you have thanks for listening, guys. If you guys have not been to our website, the problemlounge.com, check it out. Got some new blogs up there. Sign up for the newsletter. Newsletter. Um videos. Support us, follow us. Let's get this out to more people. Um, Gabe's gonna be at some uh conferences coming up. Uh Gabe, you're gonna be at in DC?
SPEAKER_00I'm gonna be in DC at a Veeam conference coming up soon. Speaking of backups and backup technology and keeping data around for a while. I'll I'll be I'll be hanging out there for a bit. Um we got a bunch of uh things this year. I'll I'll definitely be down at Black Hat this year. Um gonna be down at DEF CON. I was at Tampa B Sides a few weeks ago. We totally should do an episode on Tampa B Sides. It was really awesome getting a hangout with uh with the folks at Tampa B sides. That was that was a great show. Um shout out to Larry Whiteside. I uh got got into a little bit of a little bit of a back and forth with Larry during the CISO panel there. That was good times.
SPEAKER_01Did you oh man, I love that actually. We gotta challenge each other. I love it.
SPEAKER_00Yeah, yeah, yeah. I'll be I'll be I'll be on I'll be out there I'll be out there making making trouble and making waves. We're gonna be was that a little bit of the soothsayer? The soothsayer was out there, the soothsayer was out there. He was getting salty, he was getting salty.
SPEAKER_01Awesome. Well thanks, Gabe. Thanks everyone for listening, and we'll uh we'll see you guys in the next one.
