The Threat: ShinyHunters' Extortion Machine Hits Kodak
400 million. As of June 18, 2026, that is the approximate number of individuals whose records ShinyHunters has compromised across more than 40 confirmed breaches this year alone — a pace that has made the group the most prolific pure-extortion threat actor currently operating. The latest target on its dark web leak site: Eastman Kodak, the imaging and printing conglomerate, which confirmed on June 17, 2026 that an unauthorized third party illegally gained temporary access to company data.
According to reporting originally published by Computing UK and aggregated by Google News, ShinyHunters first listed Kodak on June 15, 2026, claiming the theft of 2.2 million records containing customer personally identifiable information (PII — names, contact details, and identifiers) alongside internal corporate data. The group then set a final deadline of June 18, 2026, threatening to release the full dataset and create what it described as "several annoying digital problems" if Kodak failed to make contact. No proof samples or data previews have been released to validate the 2.2 million record claim — a deliberate pressure tactic consistent with how ShinyHunters operates. The model is uncomplicated: steal, post a countdown, collect payment or publish.
The attack vector matters here. Security Magazine's exclusive analysis from Michael Centrella at SecurityScorecard — drawing on the firm's breach intelligence — points directly to the group's documented pattern of targeting "weak access controls and overlooked business systems," specifically Salesforce instances and enterprise cloud platforms. The FBI's Internet Crime Complaint Center reinforced this in Public Service Announcement PSA260515, issued May 15, 2026, warning explicitly about ShinyHunters targeting enterprise cloud applications and learning management systems. As of June 18, 2026, third-party and supply chain breaches account for 30% of all incidents — double the prior year's share — reflecting the group's systematic strategy of exploiting trusted vendor integrations as entry points.
The group's recent campaign history underlines the scale. ShinyHunters' May 2026 breach of Instructure's Canvas platform — two separate intrusions within ten days, exploiting cross-site scripting vulnerabilities (flaws that allow attackers to inject malicious code through a trusted application's interface) in Free-for-Teacher accounts — exposed 275 million users across 8,809 educational institutions and exfiltrated 3.6 terabytes of student records. Prior confirmed victims include Carnival (6 million passengers) and ADT (5.5 million customers). As of June 18, 2026, the group claims approximately 1.8 billion total records stolen since 2019 across more than 1,000 organizations.
Blast Radius — B2B Is Not the Safe Harbor Teams Assume
Here is where conventional risk framing breaks down. Kodak derives roughly 68% of its Q1 2026 print business revenues from B2B customers — commercial printers, manufacturers, enterprise partners — not individual consumers. That concentration leads many security teams to treat a B2B breach as lower-consequence: fewer consumer notification obligations, muted press coverage, smaller regulatory exposure. That assumption deserves scrutiny.
Chart: As of June 18, 2026, the US average data breach cost ($10.22M) is more than double the global average ($4.44M), reflecting higher regulatory and litigation exposure for US-based organizations.
For a B2B manufacturer, breach damage lands differently than for a consumer retailer — but it lands just as hard. Corporate procurement PII, supplier pricing structures, contract terms, and internal financial data are precisely the records that enable business email compromise (BEC — fraudulent communications impersonating executives or vendors to redirect payments) and targeted spear-phishing campaigns against Kodak's enterprise client base. Centrella frames this directly: organizations must treat "data exposure as an operational risk, not just a privacy issue," noting that even when manufacturing operations remain unaffected, threats to publish customer and corporate data create what he characterizes as "legal, reputational, and customer trust consequences." B2B trust is slow to build and fast to erode.
The macro numbers provide the wider frame. As of June 18, 2026, global cybercrime costs are projected at $10.8 trillion for the year, with ransomware and extortion damage specifically forecast at $74 billion annually. Ransomware now accounts for 44% of all data breaches, up from 32% the prior year — and 70% of those cases now deploy double extortion (encrypting systems AND threatening data publication simultaneously). ShinyHunters has stripped away the encryption step entirely, running pure data extortion at industrial scale. The leverage is informational rather than operational, which means traditional ransomware recovery playbooks — isolate, restore from backup, remediate — do not apply.
Photo by Mohammad Rahman on Unsplash
The Defense Stack Against Pure Data Extortion
When the attacker already holds the data and is threatening publication, the defensive priorities shift. There are three layers that need to be in place before a countdown clock appears on a dark web forum.
Technology control: Privileged access management (PAM — tools that restrict and audit which accounts can reach sensitive systems) combined with data loss prevention (DLP — monitoring that flags unusual bulk data transfers before they complete) form the first detection layer. ShinyHunters' documented focus on Salesforce integrations and enterprise cloud APIs means that any unmonitored application programming interface connection between a CRM and a third-party vendor is a potential exfiltration path. Behavior-based monitoring systems that analyze data movement patterns in real-time are now catching exfiltration attempts that signature-based tools miss — this is the AI-powered SOC (Security Operations Center) in practice.
Process control: Incident response plans need a dedicated playbook for extortion-without-encryption scenarios. Standard IR runbooks default to ransomware recovery procedures that simply don't map to this threat model. A functional extortion-specific playbook covers: legal hold initiation, FBI IC3 notification (the Bureau specifically tracks ShinyHunters activity), pre-approved customer notification language, and clear escalation criteria for law enforcement engagement. The group's five-year operational history — including the January 2024 federal sentencing of linked member Sébastien Raoult to three years in prison for wire fraud conspiracy and aggravated identity theft — means law enforcement engagement here has demonstrable precedent.
People layer: ShinyHunters members have weaponized AI specifically for social engineering, abusing voice AI platforms to power phishing agents that dynamically adjust their narratives during live phone calls, adapting in real-time to how a target responds. This is not a theoretical future threat. The AI-versus-AI arms race is active. As the AI Shield Daily analysis of MCP governance gaps examined, the same AI tooling enabling enterprise productivity also opens novel attack surfaces when access controls aren't properly scoped. Security awareness training (the ongoing education of staff to recognize and report attacks) needs to address AI-enhanced voice phishing explicitly — not only email-based threats.
Ship This Control Today
One action. Not a checklist of thirty.
Pull a complete inventory of every third-party API integration connected to your CRM and cloud data platforms — today. For each integration, document who authorized it, when it was last reviewed, what data it can access, and whether permissions can be scoped down or revoked without breaking a core workflow. ShinyHunters' documented attack pattern runs directly through these overlooked connections. If your Salesforce instance has eight integrations and your security team can name four of them from memory, the remaining four represent your blast radius. As of June 18, 2026, third-party breach pathways account for 30% of all incidents — double the prior year's figure. That trajectory is not self-correcting.
This is unglamorous work. It is also exactly the "overlooked business system" audit that separates organizations that detect an intrusion in progress from those that discover it through a dark web listing with a countdown timer attached.
Frequently Asked Questions
What is the ShinyHunters hacker group and how do they operate?
ShinyHunters is a financially motivated threat actor group operating primarily through dark web forums and leak sites. Their method is pure data extortion: identify weakly secured enterprise platforms — particularly cloud CRMs, Salesforce integrations, and SaaS applications — exfiltrate data at scale, then post countdown timers threatening full publication unless the victim organization makes contact. As of June 18, 2026, the group has claimed approximately 1.8 billion total records stolen since 2019 across more than 1,000 organizations. The FBI Internet Crime Complaint Center issued PSA260515 in May 2026 specifically warning about the group's targeting of enterprise cloud applications. A linked member, French programmer Sébastien Raoult, was sentenced to three years in federal prison in January 2024 following his 2022 arrest for conspiracy to commit wire fraud and aggravated identity theft.
Should I be worried if my data was in the Kodak breach?
Direct consumer exposure is relatively limited given Kodak's B2B business model — 68% of its Q1 2026 revenues come from commercial and enterprise customers rather than individual consumers. The higher-risk population is Kodak's corporate client base: procurement contacts, partner personnel, and anyone whose business information appears in Kodak's enterprise systems. Those individuals should monitor for targeted phishing attempts, particularly phone-based approaches using AI-generated voices — ShinyHunters has documented use of AI voice phishing tools that adapt in real-time to target responses. If you receive an unsolicited call from someone claiming to represent a known vendor or supplier in the coming weeks, verify through an independently sourced callback number.
How much does a data breach cost companies on average?
As of June 18, 2026, the global average cost of a confirmed data breach stands at $4.44 million, a 9% decrease from 2024 figures. US-based organizations face a considerably higher average of $10.22 million per breach, reflecting the country's more stringent regulatory notification requirements and litigation environment. For extortion-based breaches — where systems are not encrypted but data publication is threatened — the cost profile shifts toward legal response, regulatory notification, and reputational damage rather than IT recovery and system restoration. The absence of operational disruption does not reduce financial exposure; it redirects where the costs accumulate.
What should my organization do immediately if a vendor's data is stolen in a breach like this?
Incident response for pure data extortion diverges from standard ransomware recovery. The sequence that matters: (1) Engage legal counsel immediately to assess notification obligations under applicable state and federal breach notification laws. (2) Report to the FBI Internet Crime Complaint Center at ic3.gov — the Bureau actively tracks ShinyHunters and PSA260515 specifically covers this threat category. (3) Audit all third-party API integrations connected to the compromised system and revoke or restrict access for any that cannot be immediately validated as legitimate and necessary. (4) Prepare customer notification templates before they are needed — proactive, clear communication consistently reduces reputational damage more effectively than reactive disclosure. (5) Retain a cybersecurity incident response firm with dark web monitoring capability to track whether stolen data has been sampled or listed for sale.
Bottom line: My read on this incident is that Kodak is less the story than the confirmation it provides. Pure data extortion — steal, threaten, publish — has displaced encryption-based ransomware as the preferred leverage mechanism for sophisticated threat actors, because it removes the operational complexity of deploying and managing encryption while preserving the same financial pressure. When I look at the trajectory here: 44% of all breaches now involve ransomware (up from 32% the prior year), 70% use double extortion, and ShinyHunters has simply stripped the encryption step out entirely — I'd argue any organization still treating "data breach" and "ransomware" as separate risk categories is modeling the wrong threat. The countdown clock on the dark web is the visible end of a failure chain that began months earlier with an unaudited API permission. The audit is the control worth shipping today.
Disclaimer: This article is for informational purposes only and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your specific needs. Research based on publicly available sources current as of June 18, 2026.