Full Report
In March 2026, the hacker and extortion group "ShinyHunters" claimed to have obtained a substantial corpus of data from ZenBusiness, a business formation and compliance platform. The group claimed the data had been exfiltrated from platforms including Snowflake, Mixpanel and Salesforce, and threatened to publish it if a ransom was not paid. The following month, after claiming payment had not been made, ShinyHunters publicly released the data. The collection amounted to many terabytes across thousands of files that appeared to originate from multiple systems and business functions, including leads, support records and other CRM-related data. The data contained approximately 5M unique email addresses, often accompanied by name and phone number depending on the source file.
Analysis Summary
# Incident Report: ZenBusiness Data Breach (ShinyHunters)
## Executive Summary
In March 2026, the threat actor group "ShinyHunters" successfully exfiltrated terabytes of data from ZenBusiness by targeting their cloud-based third-party platforms. Following a failed ransom negotiation, the actors publicly released the data in April 2026, exposing approximately 5.1 million unique customer records. The breach is notable for the breadth of data stolen across multiple CRM and analytics integrations.
## Incident Details
- **Discovery Date:** March 2026 (via threat actor extortion claim)
- **Incident Date:** March 2026
- **Affected Organization:** ZenBusiness
- **Sector:** Business Formation and Compliance / Legal Tech
- **Geography:** Austin, Texas, USA (Headquarters)
## Timeline of Events
### Initial Access
- **Date/Time:** March 2026 (Estimated)
- **Vector:** Likely credential compromise or API exploitation of third-party SaaS platforms.
- **Details:** ShinyHunters gained access to ZenBusiness environments hosted on Snowflake, Mixpanel, and Salesforce.
### Lateral Movement
- **Details:** The actors moved between various cloud-hosted SaaS platforms (Snowflake, Mixpanel, Salesforce) rather than a traditional on-premise network, indicating cross-platform credential or token access.
### Data Exfiltration/Impact
- **April 2026:** After a ransom demand went unpaid, ShinyHunters leaked the full dataset.
- **Volume:** Many terabytes across thousands of files.
- **Data Types:** Lead data, support records, CRM records, and business formation details.
### Detection & Response
- **How it was discovered:** Public extortion claim by the ShinyHunters group.
- **Response actions taken:** Data was added to breach notification services (e.g., Have I Been Pwned); organization-wide password resets and 2FA implementation were recommended.
## Attack Methodology
- **Initial Access:** Targeting third-party SaaS/Cloud environments (Cloud Storage/CRM).
- **Persistence:** Not explicitly disclosed; likely via stolen API keys or session tokens.
- **Privilege Escalation:** Information suggests access to high-level administrative export functions in Salesforce and Snowflake.
- **Defense Evasion:** Use of legitimate cloud synchronization/export tools to mask large data transfers.
- **Credential Access:** Potential use of credential stuffing or stolen developer credentials to access SaaS portals.
- **Collection:** Gathering data from diverse business functions (Marketing, Sales, Customer Support).
- **Exfiltration:** Transfer of multi-terabyte datasets from cloud environments to attacker-controlled infrastructure.
- **Impact:** Financial extortion attempts followed by public data disclosure.
## Impact Assessment
- **Financial:** Undisclosed ransom demand; potential regulatory fines and forensic costs.
- **Data Breach:** Exposure of 5.1 million unique email addresses, names, and phone numbers.
- **Operational:** Disruption to customer support and sales operations due to compromised records.
- **Reputational:** Significant public exposure via Have I Been Pwned and major cybersecurity news outlets.
## Indicators of Compromise
- **Network indicators:** Data exfiltration peaks to non-standard IP ranges associated with cloud storage providers.
- **File indicators:** Large exports from Snowflake or Salesforce (e.g., .csv or .parquet files).
- **Behavioral indicators:** Unusual administrative log-ins to Mixpanel/Salesforce from unexpected geographic locations.
## Response Actions
- **Containment measures:** Credential rotation for all cloud service providers.
- **Eradication steps:** Auditing and revoking unauthorized API keys and OAuth tokens.
- **Recovery actions:** Monitoring the dark web for leaked data and notifying affected users.
## Lessons Learned
- **Key takeaways:** Dependence on third-party SaaS providers creates a sprawling attack surface that requires consolidated identity management.
- **What could have been done better:** Implementation of stricter IP whitelisting for data exports and mandatory Multi-Factor Authentication (MFA) across all cloud integrations (particularly Snowflake).
## Recommendations
- **Zero Trust Architecture:** Implement strict access controls for cloud data warehouses.
- **MFA Enforcement:** Ensure hardware-based 2FA is mandatory for all employees accessing CRM and analytics platforms.
- **Egress Monitoring:** Set up alerts for anomalous data export volumes from Salesforce, Mixpanel, and Snowflake.
- **Credential Hygiene:** Regularly rotate API keys and audit third-party app permissions.