The service Aman has been confirmed as the latest victim of the ShinyHunters extortion crew, with more than 200,000 user records dumped publicly after the organization reportedly refused to meet the group's ransom demands. The breach was surfaced through the Have I Been Pwned notification platform, which ingested the leaked dataset and began alerting affected subscribers.

What Happened

ShinyHunters executed a textbook "pay or leak" extortion play against Aman, exfiltrating a customer database and demanding payment under threat of public release. When the demand went unmet, the threat actors followed through and published the full dataset, which was subsequently indexed by Have I Been Pwned to allow affected users to check exposure. The incident continues a multi-year pattern of ShinyHunters targeting consumer-facing platforms, stealing identity-rich databases, and weaponizing public exposure as the coercion mechanism.

What Was Taken

The leaked corpus contains over 200,000 unique email addresses paired with a deeply identity-rich combination of attributes: full names, residential addresses, phone numbers, nationality, and VIP status flags. This is not a credential dump; it is a profile dump, the kind of data that fuels targeted phishing, SIM swap precursors, physical-world social engineering, and high-net-worth fraud. Have I Been Pwned reported that roughly 74 percent of the exposed addresses already appeared in prior breaches, signaling a heavily recycled victim pool that compounds downstream risk.

Why It Matters

ShinyHunters has matured into a data extortion operator rather than a opportunistic leaker, and the Aman incident demonstrates the operational model in its purest form: steal, demand, publish. The presence of VIP indicators in the dataset is particularly significant for defenders, because it gives downstream criminals a pre-segmented target list of high-value individuals suitable for spearphishing, account takeover, and physical risk scenarios. The high cross-breach reuse rate also means many of these identities are now embedded in long-tail criminal datasets, making remediation through password rotation alone insufficient.

The Attack Technique

Public reporting has not yet attributed a specific intrusion vector for the Aman compromise. ShinyHunters historically relies on stolen cloud credentials, exposed API keys, misconfigured storage buckets, and OAuth token abuse against SaaS environments to harvest customer databases at scale. Until Aman or an incident response partner publishes a post-incident report, the initial access vector should be treated as undetermined, though defenders should assume the playbook is consistent with prior ShinyHunters operations.

What Organizations Should Do

1. Audit cloud storage, database, and SaaS tenants for exposed credentials, stale API keys, and OAuth grants that could enable bulk database export.
2. Enforce phishing-resistant MFA on all administrative and developer accounts, with particular attention to identity providers and cloud consoles.
3. Implement egress monitoring and anomaly detection on customer database queries, flagging large or unusual export volumes in near real time.
4. Build and rehearse an extortion response playbook that includes legal, communications, and law enforcement engagement before a demand arrives.
5. Notify users proactively when exposure is confirmed and force credential resets, session invalidation, and heightened phishing awareness for VIP-tier customers.
6. Subscribe corporate domains to Have I Been Pwned's domain monitoring to detect employee and customer exposure tied to third-party breaches.

Sources: Massive Data Breach Exposes 200,000+ Users in ShinyHunters Extortion Attack - UNDERCODE NEWS