Kodak, the imaging company that emerged from 2013 bankruptcy to reinvent itself as a commercial printing and materials science firm, has confirmed a data breach claimed by the extortion group ShinyHunters. On June 15, 2026, ShinyHunters listed Kodak on its dark web leak site, claiming it had stolen 2.2 million records containing customer personally identifiable information (PII) and internal corporate data. Three days later, on June 18, Kodak confirmed unauthorized access by a third party but characterized the exposure as "a limited amount of company data" — wording that sits in sharp contrast to the attacker's 2.2 million record claim.
What Happened
ShinyHunters published its Kodak listing on June 15, 2026, and set a June 18 deadline for payment. The group released no proof samples alongside the listing, consistent with its standard playbook of using the deadline itself as leverage rather than publishing verifiable evidence of scope.
Kodak confirmed the breach on June 18, the same day the deadline expired. The company acknowledged that an "unauthorized third party" had accessed its systems but declined to confirm the 2.2 million figure, the categories of customer data affected, or the number of customers impacted. The result is a familiar information asymmetry: the attacker asserts scale while the victim concedes that something happened without quantifying the damage, leaving customers and security researchers unable to independently assess severity.
What Was Taken
ShinyHunters claims 2.2 million records consisting of customer PII and internal corporate data. Because the group withheld sample data, the specific fields — names, email addresses, postal addresses, order histories, or payment-related information — cannot be independently verified at this time.
Kodak's confirmation did not break down which data categories were touched. Until the company issues a more specific disclosure, customers who have purchased Kodak products or services, including Kodak Moments photo printing customers, should treat their account data as potentially exposed. Photo printing and imaging services typically tie customer accounts to contact details, order records, and in some cases stored payment tokens, which raises the stakes for affected individuals.
Why It Matters
This breach is one entry in an aggressive 2026 campaign by ShinyHunters. In this year alone the group has claimed major intrusions at Charter Communications (42 million alleged records), Oracle PeopleSoft (affecting 100-plus companies), and Instructure Canvas (9,000-plus educational institutions). Kodak now joins that list.
For defenders, the pattern matters more than any single victim. ShinyHunters has industrialized extortion: list the target, set a short clock, withhold proof, and rely on the uncertainty to pressure victims and their cyber insurers into paying. The gap between an attacker's seven-figure record claim and a victim's "limited data" statement is now a recurring feature of breach disclosures, and it complicates risk assessment for downstream organizations and individuals trying to gauge their own exposure.
The Attack Technique
Kodak has not disclosed an initial access vector, and ShinyHunters has not described one publicly. Based on the group's documented history across 2025 and 2026, its intrusions have frequently relied on credential theft, abuse of exposed or misconfigured cloud and SaaS data stores, and access to enterprise platforms such as PeopleSoft and Salesforce-adjacent ecosystems.
The operational hallmark here is the extortion methodology rather than a novel exploit: publish a leak-site listing, demand payment for deletion, set a 72-hour-to-one-week deadline, and deliberately suppress proof samples so the threat of publication does the coercive work. The Kodak timeline — June 15 listing, June 18 deadline, confirmation on the deadline date — matches this template precisely.
What Organizations Should Do
- Rotate credentials and enforce phishing-resistant multi-factor authentication across all enterprise SaaS, ERP, and cloud platforms, prioritizing systems like PeopleSoft and CRM tools that ShinyHunters has repeatedly targeted.
- Audit third-party and vendor data stores for exposed or misconfigured access, and confirm that customer PII repositories are encrypted at rest and segmented from broader corporate networks.
- Hunt for indicators of unauthorized bulk data access and exfiltration, focusing on anomalous query volumes, unusual API activity, and large outbound transfers.
- Pre-establish an extortion response plan that does not hinge on the presence of proof samples, including legal, regulatory disclosure, and insurer coordination steps.
- Brief customers and staff to expect targeted phishing that references Kodak or imaging services, and warn them not to act on unsolicited "breach notification" messages outside official channels.
- Kodak Moments and other Kodak customers should monitor financial and email accounts, watch for credential-stuffing attempts, and treat any breach-themed outreach as potentially fraudulent until verified.