Full Report
In July 2026, electronic test and measurement equipment company Fluke was targeted in a ShinyHunters "pay or leak" extortion campaign. The group subsequently published more than 100GB of data allegedly taken from the company. The corpus contained largely corporate contact information, including over 800k unique email addresses, names, phone numbers and physical addresses. A large collection of support cases was also present.
Analysis Summary
# Incident Report: Fluke Corporation "Pay or Leak" Extortion Campaign
## Executive Summary
In July 2026, Fluke Corporation, a leader in electronic test and measurement equipment, was targeted by the threat actor group ShinyHunters in a "pay or leak" extortion attack. After the company likely refused to meet ransom demands, the group published a 100GB corpus of data containing over 821,000 unique records. The breach primarily compromised corporate contact information and a significant volume of customer support tickets.
## Incident Details
- **Discovery Date:** July 15, 2026 (Added to public breach repositories)
- **Incident Date:** July 2026
- **Affected Organization:** Fluke Corporation
- **Sector:** Electronic Test & Measurement / Manufacturing
- **Geography:** Global (Headquartered in USA)
## Timeline of Events
### Initial Access
- **Date/Time:** July 2026
- **Vector:** Unknown (ShinyHunters typically utilize credential stuffing or compromised API keys/cloud environments)
- **Details:** The threat actor gained access to internal databases or file storage systems containing customer and corporate metadata.
### Lateral Movement
- **Details:** Specific movement patterns were not disclosed, but the threat actor successfully accessed a wide repository of support cases and contact databases, suggesting access to a Customer Relationship Management (CRM) or support platform.
### Data Exfiltration/Impact
- **Details:** ShinyHunters exfiltrated over 100GB of corporate and customer data and posted it to their leak site after extortion attempts failed.
### Detection & Response
- **Discovery:** The incident became public when the data was added to "Have I Been Pwned" and listed on ShinyHunters' extortion site.
- **Response Actions:** Public recommendations were issued for users to change passwords and enable 2FA; however, specific internal remediation steps by Fluke were not detailed in the source.
## Attack Methodology
- **Initial Access:** Likely compromised credentials or cloud misconfiguration (Common ShinyHunters TTP).
- **Collection:** Aggregated over 100GB of files including support ticket history.
- **Exfiltration:** Standard outbound transfer to threat actor-controlled infrastructure.
- **Impact:** Extortion via "Pay or Leak" tactics and public disclosure of sensitive corporate data.
## Impact Assessment
- **Financial:** Potential regulatory fines and costs associated with incident response/forensics.
- **Data Breach:** High. 821,100 unique email addresses, names, phone numbers, physical addresses, and job titles.
- **Operational:** Disclosure of "Support Cases" may reveal internal technical infrastructure or proprietary customer configurations.
- **Reputational:** High. Public listing on a prominent leak site and notification to over 800k individuals.
## Indicators of Compromise
- **Network indicators:** hxxps[://]breachnews[.]com/breaches/shinyhunters-addsingram-content-group-and-fluke-corporation-to-leak-site/
- **Behavioral indicators:** Large-scale outbound data transfer (exfiltration) prior to July 15, 2026.
## Response Actions
- **Containment:** (Assumed) Auditing of account access and rotation of leaked credentials.
- **Eradication:** Recommendation for all affected users to reset passwords.
- **Recovery:** Implementation of global Multi-Factor Authentication (MFA) across all corporate accounts.
## Lessons Learned
- **Sensitive Metadata Risk:** Support tickets often contain a wealth of sensitive information that attackers can use for secondary social engineering.
- **Extortion Trends:** The "pay or leak" model remains a primary threat for high-value manufacturing and technology firms.
- **Visibility:** Data exfiltration of this magnitude (100GB) highlights the need for robust Data Loss Prevention (DLP) monitoring.
## Recommendations
- **Identity Security:** Implement phishing-resistant MFA (FIDO2) across all corporate and support platforms.
- **Data Minimization:** Regularly archive or purge old support tickets and records that are no longer required for business operations.
- **Monitoring:** Deploy Behavioral Analytics to detect unusual data egress patterns from cloud storage or CRM databases.
- **Vendor Management:** Audit third-party support platforms to ensure they meet corporate security standards.