[{"data":1,"prerenderedAt":157},["ShallowReactive",2],{"article-slug-shinyhunters-ransomware-claims-attacks-on-zara-and-aman-resorts":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":36,"sources":37,"events":47,"mitre_techniques":57,"mitre_mitigations":77,"d3fend_countermeasures":114,"iocs":128,"cyber_observables":129,"tags":145,"extract_datetime":148,"article_type":149,"impact_scope":150,"pub_date":41,"reading_time_minutes":156,"createdAt":148,"updatedAt":148},"59f499f0-0aae-46a9-951e-a79f55e9f957","shinyhunters-ransomware-claims-attacks-on-zara-and-aman-resorts","Shinyhunters Ransomware Targets Zara and Aman Resorts with Data Theft Claims","Shinyhunters Ransomware Group Claims Attacks on Zara and Aman Resorts, Threatens Data Leak","The Shinyhunters ransomware group has resurfaced, claiming responsibility for cyberattacks against luxury hotel chain Aman Resorts and global fashion retailer Zara. On April 19, 2026, the group alleged it had stolen over 500,000 Salesforce records containing PII from Aman Resorts and compromised Zara's Google BigQuery data, attributing the latter to a vulnerability in the Anodot.com platform. Shinyhunters has issued a 'Pay or Leak' ultimatum to both companies, setting an April 21 deadline to establish contact before the allegedly stolen data is published. These claims, if verified, represent significant data breaches at two major international brands.","## Executive Summary\nThe ransomware group **Shinyhunters** has claimed responsibility for significant data breaches at two prominent international companies: luxury hotel operator **[Aman Resorts](https://www.aman.com)** and fashion giant **[Zara](https://www.zara.com)**. In posts made on April 19, 2026, the group asserted it had exfiltrated sensitive data from both organizations and issued a public ultimatum. For Aman Resorts, Shinyhunters claims to possess 500,000 customer records from a compromised **[Salesforce](https://www.salesforce.com)** instance. For Zara, the group alleges access to the company's **[Google BigQuery](https://cloud.google.com/bigquery)** data, reportedly gained via a vulnerability in the **Anodot.com** business intelligence platform. The threat actor has set a deadline of April 21, 2026, for both companies to negotiate, threatening to leak the stolen data and cause further digital disruption if their demands are not met. These incidents highlight the continued threat of data extortion attacks against high-profile consumer brands.\n\n## Threat Overview\nShinyhunters is a known threat actor with a history of data breaches and extortion, although their recent activity has been less frequent. These new claims suggest a resurgence of the group or an actor using their name. The attacks appear to be financially motivated, following the double extortion model where data is exfiltrated before any potential encryption.\n\n-   **Attack on Aman Resorts:** The group claims to have targeted Aman Resorts' Salesforce environment, a common repository for sensitive customer data, including Personally Identifiable Information (PII). The exfiltration of 500,000 records, if true, represents a major breach of customer privacy for the high-end hotel chain.\n-   **Attack on Zara:** The claimed compromise of Zara's Google BigQuery data warehouse suggests a breach of a critical data analytics and business intelligence system. Shinyhunters implicates a third-party platform, Anodot.com, as the entry point, pointing towards a potential supply chain vector or a vulnerability in an integrated service.\n\nThe group's TTPs in this case are centered on data theft ([`T1530 - Data from Cloud Storage Object`](https://attack.mitre.org/techniques/T1530/)) and public extortion via a leak site, a hallmark of many ransomware and data extortion gangs.\n\n## Technical Analysis\nWhile specific technical details of the intrusions are not available, the claims allow for some analysis based on the targeted platforms.\n\n-   **Salesforce Compromise (Aman Resorts):** Access to a Salesforce instance could be achieved through several methods, including: \n    -   Phishing for employee credentials ([`T1566 - Phishing`](https://attack.mitre.org/techniques/T1566/)).\n    -   Exploiting misconfigured permissions or public-facing Salesforce sites.\n    -   Using stolen session cookies or tokens ([`T1539 - Steal Web Session Cookie`](https://attack.mitre.org/techniques/T1539/)).\n    -   Compromise of a connected third-party application with excessive permissions.\n-   **BigQuery Compromise (Zara):** Access to Google BigQuery would likely require compromised Google Cloud Platform (GCP) credentials. The attackers' claim implicating Anodot.com suggests they may have exploited a vulnerability in that platform to steal service account keys or user credentials that had access to Zara's BigQuery datasets ([`T1078.004 - Valid Accounts: Cloud Accounts`](https://attack.mitre.org/techniques/T1078/004/)).\n\nThe overall strategy is Data from Information Repositories ([`T1213`](https://attack.mitre.org/techniques/T1213/)) followed by Data Exfiltration over C2 Channel ([`T1041`](https://attack.mitre.org/techniques/T1041/)).\n\n## Impact Assessment\nIf the claims are substantiated, the impact on both companies would be severe.\n-   **Aman Resorts:** The theft of 500,000 PII records from a luxury brand that caters to a wealthy clientele could lead to significant reputational damage, regulatory fines under GDPR and other privacy laws, and potential targeted attacks against its customers.\n-   **Zara:** The compromise of a BigQuery data warehouse could expose sensitive business intelligence, sales data, customer analytics, and internal corporate information. This could impact competitive advantage and strategic planning.\n-   **For both companies:** The public nature of the extortion demand creates immediate brand damage and pressure from customers and regulators. The incidents will necessitate costly forensic investigations, legal counsel, and potential credit monitoring services for affected individuals.\n\n## IOCs\nNo specific IOCs were provided in the source articles.\n\n## Detection & Response\n**Detection Strategies:**\n1.  **Cloud Security Posture Management (CSPM):** For the BigQuery incident, a CSPM tool could have detected misconfigurations, public-facing datasets, or overly permissive IAM roles associated with service accounts like the one potentially used by Anodot.com.\n2.  **SaaS Security Monitoring:** For the Salesforce incident, organizations need tools that monitor for anomalous activity within SaaS platforms, such as mass data exports, unusual user login locations, or permission escalations. This is a form of **[Cloud Activity Log Analysis](https://d3fend.mitre.org/technique/d3f:CloudActivityLogAnalysis)**.\n3.  **Data Loss Prevention (DLP):** Monitoring for large-scale data exfiltration from cloud environments. DLP solutions can be configured to alert when a volume of data exceeding a certain threshold is moved out of the corporate cloud environment. This is related to **[User Data Transfer Analysis (D3-UDTA)](https://d3fend.mitre.org/technique/d3f:UserDataTransferAnalysis)**.\n\n**Response Actions:**\n-   Both companies should immediately launch an internal investigation, with the help of third-party experts, to validate the attackers' claims.\n-   If claims are credible, identify and contain the access vector, revoking compromised credentials and severing malicious connections.\n-   Notify relevant data protection authorities and law enforcement as required by law.\n-   Prepare for public communication and customer notification.\n\n## Mitigation\n-   **Multi-Factor Authentication (MFA):** Enforce MFA on all accounts, especially for critical cloud and SaaS platforms like Salesforce and Google Cloud Platform (**[M1032 - Multi-factor Authentication](https://attack.mitre.org/mitigations/M1032/)**).\n-   **Third-Party Application Auditing:** Regularly audit all third-party applications connected to core systems (like Salesforce AppExchange apps or services with GCP access). Ensure they operate under the principle of least privilege (**[M1054 - Software Configuration](https://attack.mitre.org/mitigations/M1054/)**).\n-   **Cloud IAM Best Practices:** Implement strict Identity and Access Management (IAM) policies in cloud environments. Avoid using long-lived static credentials and favor short-lived tokens and service accounts with narrowly scoped permissions.\n-   **Data Classification and Encryption:** Classify data based on sensitivity and ensure that the most critical information is encrypted at rest and in transit, with tightly controlled access policies (**[M1041 - Encrypt Sensitive Information](https://attack.mitre.org/mitigations/M1041/)**).","Shinyhunters ransomware group is back, claiming major data breaches at fashion retailer Zara and luxury hotel chain Aman Resorts. 🏨 The group alleges theft of Salesforce & BigQuery data, issuing a 'Pay or Leak' ultimatum. #Ransomware #DataBreach #Shinyhunters","The Shinyhunters ransomware group claims cyberattacks on Zara and Aman Resorts, alleging the theft of over 500,000 Salesforce records and compromised BigQuery data. A 'Pay or Leak' deadline has been set.",[13,14,15],"Ransomware","Data Breach","Threat Actor","high",[18,21,25,28,30,34],{"name":19,"type":20},"Shinyhunters","threat_actor",{"name":22,"type":23,"url":24},"Aman Resorts","company","https://www.aman.com",{"name":26,"type":23,"url":27},"Zara","https://www.zara.com",{"name":29,"type":23},"Anodot.com",{"name":31,"type":32,"url":33},"Salesforce","product","https://www.salesforce.com",{"name":35,"type":32},"Google BigQuery",[],[38,44],{"url":39,"title":40,"date":41,"friendly_name":42,"website":43},"https://ransomware.live/victim/aman-com/","Victim: Aman Resorts (aman.com)","2026-04-19","Ransomware.live","ransomware.live",{"url":45,"title":46,"date":41,"friendly_name":42,"website":43},"https://ransomware.live/victim/zara-com/","Victim: Zara (zara.com)",[48,51,54],{"datetime":49,"summary":50},"2026-04-18T00:00:00Z","Estimated date of the attacks on Aman Resorts and Zara, according to Shinyhunters' claim.",{"datetime":52,"summary":53},"2026-04-19T00:00:00Z","Shinyhunters posts claims of the breaches on their leak site.",{"datetime":55,"summary":56},"2026-04-21T00:00:00Z","Deadline set by Shinyhunters for the companies to make contact.",[58,62,66,69,73],{"id":59,"name":60,"tactic":61},"T1530","Data from Cloud Storage Object","Collection",{"id":63,"name":64,"tactic":65},"T1078.004","Valid Accounts: Cloud Accounts","Defense Evasion",{"id":67,"name":68,"tactic":61},"T1213","Data from Information Repositories",{"id":70,"name":71,"tactic":72},"T1041","Data Exfiltration Over C2 Channel","Exfiltration",{"id":74,"name":75,"tactic":76},"T1566","Phishing","Initial Access",[78,87,96,105],{"id":79,"name":80,"d3fend_techniques":81,"description":85,"domain":86},"M1032","Multi-factor Authentication",[82],{"id":83,"name":80,"url":84},"D3-MFA","https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication","Enforce MFA on all cloud and SaaS platforms, especially for administrative accounts and those with access to sensitive data repositories like Salesforce and GCP.","enterprise",{"id":88,"name":89,"d3fend_techniques":90,"description":95,"domain":86},"M1035","Limit Access to Resource Over Network",[91],{"id":92,"name":93,"url":94},"D3-NI","Network Isolation","https://d3fend.mitre.org/technique/d3f:NetworkIsolation","Restrict access to sensitive data stores like BigQuery datasets to a limited set of internal IP addresses or through a VPN, reducing exposure from compromised third-party services.",{"id":97,"name":98,"d3fend_techniques":99,"description":104,"domain":86},"M1047","Audit",[100],{"id":101,"name":102,"url":103},"D3-DAM","Domain Account Monitoring","https://d3fend.mitre.org/technique/d3f:DomainAccountMonitoring","Implement continuous auditing of cloud and SaaS logs to detect anomalous activities such as mass data exports or unusual API access patterns.",{"id":106,"name":107,"d3fend_techniques":108,"description":113,"domain":86},"M1054","Software Configuration",[109],{"id":110,"name":111,"url":112},"D3-ACH","Application Configuration Hardening","https://d3fend.mitre.org/technique/d3f:ApplicationConfigurationHardening","Regularly review the permissions of third-party applications integrated with platforms like Salesforce and GCP, ensuring they adhere to the principle of least privilege.",[115,120,122],{"technique_id":116,"technique_name":117,"url":118,"recommendation":119,"mitre_mitigation_id":97},"D3-CASA","Cloud Activity and Security Analysis","https://d3fend.mitre.org/technique/d3f:CloudActivityandSecurityAnalysis","To defend against attacks targeting cloud data stores like Salesforce and BigQuery, organizations must implement robust Cloud Activity and Security Analysis. This involves centralizing and analyzing logs from all SaaS and IaaS platforms. For the Zara incident, this would mean ingesting Google Cloud Audit Logs into a SIEM and creating alerts for anomalous BigQuery activity. For example, an alert should trigger if a service account associated with a third-party like Anodot suddenly queries an unusually large number of tables or exfiltrates data at a high rate. Similarly, for the Aman Resorts breach, Salesforce Event Monitoring logs should be analyzed for indicators like a single user account exporting an abnormally high number of reports or accessing records outside of normal business hours. By establishing a baseline of normal cloud activity, security teams can detect the subtle indicators of a data theft operation in progress and respond before millions of records are lost.",{"technique_id":83,"technique_name":80,"url":84,"recommendation":121,"mitre_mitigation_id":79},"The most fundamental defense against the account takeover that likely preceded these data thefts is the universal enforcement of Multi-factor Authentication (MFA). Both Aman Resorts and Zara should ensure that every single user and service account with access to their Salesforce and Google Cloud environments is protected by MFA. This is not just for human users; modern identity platforms allow for MFA enforcement on service-to-service communication where applicable. Relying on just a username and password for systems containing millions of sensitive records is negligent. Implementing phishing-resistant MFA, such as FIDO2 security keys, provides the strongest protection against credential theft. Even if an attacker manages to steal a user's password, they would be unable to access the cloud platforms without the physical second factor, effectively stopping the attack chain at the initial access stage.",{"technique_id":123,"technique_name":124,"url":125,"recommendation":126,"mitre_mitigation_id":127},"D3-UDTA","User Data Transfer Analysis","https://d3fend.mitre.org/technique/d3f:UserDataTransferAnalysis","User Data Transfer Analysis is a specific detection technique crucial for catching data exfiltration in progress. Security teams at companies like Zara and Aman Resorts should deploy tools that monitor the volume and flow of data leaving their cloud environments. For the Salesforce breach, this would involve setting thresholds for the number of records exported by a single user in a given timeframe. An alert would be generated if a user who normally exports 100 records per day suddenly exports 500,000. For the BigQuery breach, this would involve monitoring the egress data volume from the project. A sudden spike in data transfer from BigQuery to an external IP, especially one not on an allowlist, would be a strong indicator of theft. This technique moves beyond simple access logging to quantify data movement, providing a high-fidelity signal that a data breach is actively occurring.","M1040",[],[130,135,139],{"type":131,"value":132,"description":133,"context":134,"confidence":16},"log_source","Salesforce Event Monitoring","Monitor for anomalous 'ReportExport' or 'ApiTotalUsage' events, which could indicate mass data exfiltration from Salesforce.","SaaS Security Posture Management (SSPM) tools, SIEM.",{"type":131,"value":136,"description":137,"context":138,"confidence":16},"Google Cloud Audit Logs (BigQuery)","Look for unusual `google.cloud.bigquery.v2.JobService.InsertJob` or `TableDataService.List` API calls from unexpected service accounts or IP ranges.","Google Cloud console, SIEM.",{"type":140,"value":141,"description":142,"context":143,"confidence":144},"api_endpoint","Anodot.com API","Monitor for anomalous API activity or error rates from the Anodot platform, which was implicated as a potential vector.","Application logs, third-party integration monitoring.","low",[19,13,14,31,146,147],"BigQuery","Extortion","2026-04-19T15:00:00.000Z","NewsArticle",{"geographic_scope":151,"industries_affected":152,"people_affected_estimate":155},"global",[153,154],"Hospitality","Retail","500,000+ customer records",5,1776724716147]