In March 2026, the extortion crew known as ShinyHunters claimed responsibility for exfiltrating a multi-terabyte trove of customer data from ZenBusiness, a U.S. based business formation and compliance platform. After the company allegedly refused to pay a ransom, the group publicly dumped the corpus the following month. The leak surfaced on Have I Been Pwned in May 2026, exposing approximately 5,118,184 unique email addresses alongside names and phone numbers depending on the source system.

What Happened

ShinyHunters approached ZenBusiness in March 2026 with proof-of-life samples and an extortion demand, claiming to have siphoned data from the company's Snowflake data warehouse, Mixpanel product analytics platform, and Salesforce CRM environment. When ZenBusiness reportedly declined to engage with the ransom terms, the actor followed through on its threat in April 2026 by releasing the full collection publicly. The dump spanned thousands of files and many terabytes, reflecting an end-to-end view of customer-facing operations rather than a single isolated database.

What Was Taken

The released corpus contained roughly 5 million unique email addresses, frequently paired with full names and phone numbers depending on the originating file. The leaked material spanned multiple business functions consistent with the implicated SaaS platforms: marketing leads from Salesforce, behavioral and product telemetry from Mixpanel, and warehoused records from Snowflake. Customer support tickets and broader CRM-related artifacts were also reported in the corpus. The volume and breadth point to bulk export rather than narrow record-level theft.

Why It Matters

ZenBusiness serves entrepreneurs and small business owners forming LLCs, handling registered agent services, and managing compliance filings. Its customer base is therefore a high-value target list for business email compromise, invoice fraud, and impersonation of state filing agencies. The combination of verified email, phone, and name at this scale dramatically lowers the cost of credible spear-phishing against newly formed entities, who are often most vulnerable in their first months of operation. The incident also reinforces a 2024 to 2026 pattern in which ShinyHunters concentrates on SaaS aggregation points rather than perimeter intrusion of corporate networks.

The Attack Technique

While ZenBusiness has not publicly confirmed the intrusion vector, the named platforms align closely with ShinyHunters' established 2024 to 2025 tradecraft. The group has historically obtained valid credentials through infostealer logs, then pivoted into customer tenants of Snowflake, Salesforce, and similar SaaS providers that lacked enforced multi-factor authentication. Mixpanel access typically follows the same pattern: stolen service account or analyst credentials granting bulk export of event data. Cross-platform exposure of overlapping customer data through three separate SaaS tenants is a strong indicator of credential-based access to integrated business systems rather than exploitation of a single vulnerability.

What Organizations Should Do

1. Enforce phishing-resistant MFA across every Snowflake, Salesforce, and Mixpanel account, with no exemptions for service or analyst accounts.
2. Audit SaaS tenant logs for the past 90 days for anomalous bulk exports, large query result sizes, and access from unfamiliar ASN or geolocation.
3. Rotate API tokens, OAuth integrations, and any long-lived credentials touching Snowflake, Mixpanel, or Salesforce, and migrate to short-lived federated tokens where supported.
4. Deploy infostealer monitoring against corporate domains and personal devices used for SaaS access, and force credential resets on any hits.
5. Notify ZenBusiness customers in your downstream user base who may now face targeted phishing referencing their LLC formation, registered agent, or compliance filings.
6. Add detection rules for SaaS data exfiltration behaviors using native logging such as Snowflake Access History, Salesforce Event Monitoring, and Mixpanel audit logs.

Sources: ZenBusiness - 5,118,184 breached accounts - IT Security News