The ShinyHunters extortion gang on Monday claimed it stole more than 2.2 million customer and corporate records from Eastman Kodak, naming the nearly 150-year-old American imaging company as the latest target in its ongoing "pay or leak" campaign. The group posted Kodak to its dark web leak site with a final warning to make contact by June 18, 2026, or see its data published. As of this reporting, Kodak has not publicly acknowledged any breach, and ShinyHunters has not posted proof samples to support the claim.
What Happened
ShinyHunters added Eastman Kodak to its leak blog on Monday, accompanied by a countdown-style ultimatum typical of the gang's recent operations. "This is a final warning to reach out by 18 June 2026 before we leak along with several annoying (digital) problems that'll come your way," the group wrote, language that hints at follow-on harassment or disruption beyond simple data publication.
The upstate New York based company has not confirmed any intrusion into its networks in recent weeks. Cybernews reports it has contacted Kodak for comment. The absence of posted proof samples means the 2.2 million figure remains an unverified claim, a pattern the gang has used before to pressure victims into early negotiation.
Kodak, which filed for bankruptcy in 2012 and restructured into a primarily business-to-business technology and manufacturing firm, now operates across commercial digital printing, motion picture and still film manufacturing, advanced chemicals for pharmaceuticals and batteries, and brand licensing. That B2B footprint means any stolen "customer" records may include corporate partner and client data, not just consumer information.
What Was Taken
ShinyHunters alleges it exfiltrated "over 2.2 million records containing customer PII and other internal corporate data." No breakdown of specific data fields has been provided, and no sample has been released to validate the scope or sensitivity.
Based on the gang's documented behavior with other victims, the data set could plausibly include names, contact details, account information, and internal business documents. Given Kodak's B2B orientation, exposure of corporate client records, contracts, or transactional data may carry as much risk as consumer PII. Until proof emerges or Kodak confirms an incident, the volume and contents should be treated as a claim rather than an established fact.
Why It Matters
This claim does not stand alone. ShinyHunters has been working through hundreds of high-profile corporate victims since last September, with most tied to a worldwide campaign exploiting more than 1.5 million records from misconfigured Salesforce instances. In June, the gang has also been exploiting a critical zero-day in Oracle PeopleSoft software.
The Kodak listing arrived alongside a burst of other claims. In the past week the gang has named Madison Square Garden with 26 million records, fashion house Ralph Lauren with 220 GB of customer PII and transaction data, and JCPenney with records containing Social Security numbers, W-2 tax forms, and government ID scans. Also posted Monday were Sysco Corporation, with more than 61 million alleged Salesforce records, and Houston City College in Texas.
The pace signals a high-volume, repeatable playbook rather than bespoke targeting. Defenders at organizations using Salesforce, Oracle PeopleSoft, or similar SaaS and enterprise platforms should assume they are inside the gang's addressable target set.
The Attack Technique
The specific entry vector into Kodak has not been disclosed by the gang or confirmed by the company. However, ShinyHunters' recent operations cluster around two repeatable methods: large-scale abuse of misconfigured Salesforce instances and exploitation of a critical zero-day in Oracle PeopleSoft.
The gang's broader tradecraft has historically combined social engineering, OAuth and connected-app abuse, and credential theft to reach cloud-hosted data stores, then bulk exfiltration followed by extortion without deploying traditional file-encrypting malware. The "pay or leak" model relies on data theft leverage rather than system encryption, which lowers operational complexity and accelerates the time from intrusion to extortion notice.
What Organizations Should Do
- Audit Salesforce and SaaS configurations. Review connected apps, OAuth tokens, API access, and guest or community user permissions for misconfigurations that expose bulk data.
- Patch Oracle PeopleSoft immediately. Apply vendor fixes for the actively exploited zero-day and inventory all internet-facing PeopleSoft and ERP assets.
- Enforce phishing-resistant MFA. Require hardware-backed or passkey-based authentication on administrative and SaaS accounts to blunt credential theft and social engineering.
- Monitor for bulk data egress. Alert on anomalous API queries, mass record exports, and unusual data access volumes that signal exfiltration in progress.
- Rehearse extortion response. Prepare legal, communications, and incident response playbooks for pay-or-leak scenarios, including handling of unverified claims and breach disclosure obligations.
- Hunt for prior compromise. Assume the listing may reflect access obtained weeks ago and review logs for historical signs of token abuse or anomalous logins.
Sources: Kodak hit with ShinyHunters leak threat as gang claims 2.2M records