On June 16, 2026, a message appeared on a dark web extortion portal.
The target was Eastman Kodak Company. 130 years old. 79,000 patents. One billion dollars in annual revenue. A company that most people still associate with the yellow film boxes their parents used to buy, but which today operates as a serious business-to-business manufacturing and technology firm producing commercial print systems, advanced materials, and specialty chemicals.
The message from ShinyHunters was terse: “Over 2.2 million records with customer PII and other internal data were compromised. This is a final warning to contact us by June 18, 2026, before we leak the data along with various digital problems that will affect you.” TCSA
Kodak confirmed the breach the following day. An unauthorized third party had temporarily accessed a limited amount of company data. External cybersecurity experts had been engaged. Law enforcement had been notified. Operations, Kodak was careful to say, had not been affected. India Briefing
The company statement was controlled and minimal, the kind of statement organisations issue when they know they have a problem but do not yet know its full shape.
What Kodak did not say, and what the investigation has not yet confirmed, is how the attacker got in.
But ShinyHunters’ known methods tell a clear story. And that story should concern every CTO and IT head reading this, because the entry points ShinyHunters consistently exploits are not exotic vulnerabilities. They are the gaps between systems that almost every organisation has, and almost nobody is actively closing.
Who ShinyHunters Is and Why They Are Different From Most Attackers
ShinyHunters has been active since 2019. Despite multiple arrests, forum seizures, and the conviction of one of its alleged founders in 2023, the group has continued to reemerge. Researchers at Cato Networks describe ShinyHunters in 2026 as having evolved beyond a single hacking crew into a cybercrime brand that adapts faster than defenders and law enforcement can respond. King Stubb & Kasiva
This is not hyperbole. The list of organisations that have faced ShinyHunters in 2026 alone reads like a Fortune 500 roll call.
Charter Communications, 7-Eleven, Medtronic, Vimeo, Instructure, ADT, Rockstar Games, and dozens of other organisations within a compressed timeframe. The group also conducted a concurrent Oracle PeopleSoft zero-day campaign targeting over 100 organisations simultaneously, illustrating that ShinyHunters is operating multiple parallel attack tracks rather than sequential individual targets. Prophaze
Big names claimed in a single week in June 2026 include Madison Square Garden with 26 million customer records, Ralph Lauren with 220 gigabytes of customer PII and transaction data, JCPenney with Social Security numbers, W-2 tax forms, and government ID scans, and Sysco Corporation with over 61 million Salesforce records allegedly stolen from the US food distributor. deloitte
This is not opportunistic hacking. This is a scaled industrial operation, and it has a specific and documented methodology.
How ShinyHunters Actually Gets In
This is the section that matters most for CTOs and IT heads.
Kodak has not disclosed its specific entry point. But ShinyHunters’ documented methods include compromised credentials, OAuth token abuse, misconfigured third-party integrations, and enterprise software zero-days. The group’s 2025 Salesforce campaign involved voice phishing to have company employees authorize access to their Salesforce account via a malicious app, through which ShinyHunters accessed data belonging to numerous corporations amounting to more than one billion records. Z Cybersecurity
ShinyHunters also claimed attacks against hundreds of Salesforce customers over the past year, saying they had stolen over 1.5 billion records through Salesforce Aura and Salesloft Drift campaigns. The group was also linked to security breaches at over a dozen Snowflake customers and various other third-party integration providers. Press Information Bureau
Three specific attack vectors have been documented consistently across their 2025 and 2026 campaigns.
- Attack Vector 1: Misconfigured Salesforce and SaaS integrations
Salesforce Experience Cloud, Salesforce Aura, Salesloft Drift. These are widely used enterprise platforms. Each one offers the ability to connect with third-party applications and external services. ShinyHunters claims to have attacked hundreds of Salesforce customers by exploiting misconfigured instances, stealing more than 1.5 billion records in total. Lexology
Misconfiguration is not the same as vulnerability. The platform is not broken. The way it was set up allows more access than the organisation intended. A connector that was installed and never reviewed. An integration with permissions broader than the business function ever required. A developer sandbox that was left open long after the project it was built for was completed.
- Attack Vector 2: OAuth token abuse through third-party applications
This is the method we documented in a case study on OAuth phishing for one of our clients on this blog. A user approves a consent request. The attacker holds the resulting token. Months later, the token is used to silently access systems, bypassing password authentication and MFA entirely.
ShinyHunters used employee-authorised OAuth grants to access Salesforce environments without triggering standard authentication alerts. The access looked legitimate because the token was legitimate. The only thing illegitimate was the application that held it. Z Cybersecurity
- Attack Vector 3: Enterprise software zero-days at scale
ShinyHunters also claimed responsibility for breaches at over 100 organisations following data theft attacks that exploited a zero-day flaw in Oracle PeopleSoft enterprise business software, tracked as CVE-2026-35273. When a zero-day exists in a widely deployed enterprise system, every organisation running that system is exposed simultaneously. The patch window, the time between discovery and deployment across every affected system in a distributed enterprise, is when the attack happens. Press Information Bureau
Why the Kodak Breach Is a Manufacturing and B2B Warning, Not a Legacy Brand Story
The media coverage of the Kodak breach has focused, predictably, on the Kodak name. The cameras. The film. The nostalgia. The fall from consumer dominance.
That framing is almost entirely beside the point.
Analysts have emphasised that although Kodak has stressed that only a limited amount of data was impacted, the involvement of a known extortion group targeting a legacy organisation with a vast portfolio of 79,000 patents serves as a stark warning to the manufacturing sector. Attackers are increasingly pivoting from standard operational disruption to the lucrative theft of specialised intellectual property. Lexology
This matters for Indian manufacturers specifically. A Pune auto-component manufacturer with proprietary tooling designs. A Maharashtra pharmaceutical company with formulation documentation. An industrial equipment firm whose client contracts detail project scopes, pricing, and engineering specifications. All of this information sits in systems that connect to SaaS platforms, CRMs, and enterprise tools.
As SecurityScorecard’s Head of Public Policy noted, even when an organisation says there is no threat to systems or operations, the threat of leaking customer Personally Identifiable Information (PII) and internal corporate data still creates legal, reputational, and customer trust consequences. India Briefing
Kodak’s operations were not disrupted. Their systems were not encrypted. In that narrow sense, the attack was contained. But internal corporate data and personally identifiable information can be used for phishing, impersonation, partner fraud, and follow-on attacks long after the initial access has been contained. India Briefing
The breach is over. The consequences last for years.
The SaaS Problem That Every CTO Must Confront
ShinyHunters did not walk into Kodak through their firewall. They almost certainly walked through the gaps between systems.
This is the attack surface that most Indian enterprises have never fully mapped. And it grows every year, often faster than the organisation realises.
Consider how many SaaS tools and integrations a mid-size manufacturing company or financial services firm operates today. A CRM with a Salesforce or Zoho environment. An ERP system. A cloud HR platform. Email and productivity through Microsoft 365 or Google Workspace. A customer service platform with chatbot integrations. An analytics layer pulling data from multiple upstream systems. A dozen department-specific tools that individual teams signed up for without IT involvement. Each of these has connectors, integrations, and API permissions touching other systems.
Most of these connections were set up once, by whoever was implementing the system at the time, optimised for functionality and speed rather than minimum necessary access. Most have never been reviewed since.
Every one of those connections is a potential entry point for an attacker who understands that the gap between two well-protected systems is often less protected than either system individually.
Security Boulevard’s analysis of the Kodak breach recommends that organisations audit Salesforce, Oracle PeopleSoft, and connected SaaS environments specifically for the access vectors ShinyHunters consistently exploits, including compromised credentials, OAuth token abuse, misconfigured third-party integrations, and enterprise zero-days. Reviewing MFA enforcement, OAuth application permissions, and integration security across all enterprise SaaS platforms should be treated as a priority given the active and broadening campaign. Prophaze
What Kodak’s Response Reveals About Breach Communications
Kodak’s public statement is worth reading carefully, not for what it says, but for what it does not say.
It confirms a breach. It describes the data access as limited. It mentions external experts and law enforcement. It says operations are unaffected.
It does not say how the attacker got in. It does not confirm or deny the 2.2 million record figure. It does not describe what specific customer data was exposed or which customers are affected.
This is a standard breach communications posture, and it is arguably the right one during an active investigation. But it creates a specific problem for every customer, partner, and supplier of Kodak, who now has to make their own risk assessment with incomplete information.
Companies need to be ready to explain what was accessed, how attackers got in, whether the issue has been contained, and what they are doing to prevent it from happening again. India Briefing
For Indian companies reading this as a communications lesson, the DPDP Act changes what “ready to explain” means. Under Indian data protection law, a breach affecting customer data requires notification to the Data Protection Board within the prescribed timeline. The question “what was accessed” is not optional. The investigation must produce a specific answer, and it must do so quickly.
An organisation that cannot tell its regulators, its customers, and its own board exactly what data was exposed six days after discovery is an organisation that never had a real-time view of its own data estate. That absence of visibility is as much a governance failure as the breach itself.
7 Things Every Indian CTO Must Do Before ShinyHunters Finds Their Gap
The FBI strongly advises against paying extortion demands. But the far more useful advice is not to be in that conversation in the first place. Here is how. TCSA
1. Map every SaaS application and integration in your organisation this month
Not the official list in IT’s asset register. The real list. Ask every department head to list every cloud tool their team uses. Many of these will not be in your IT inventory. Some will have access to company data that IT never approved or reviewed. This audit is often the most uncomfortable outcome of a SaaS security exercise because it surfaces tools, connections, and permissions that have existed for years without oversight.
2. Review OAuth application consents across every cloud platform
Every Microsoft 365, Google Workspace, Salesforce, and major SaaS platform has a list of applications that have been granted OAuth access by users. Review this list. Revoke access for any application you cannot identify as legitimate and actively used. Remove permissions that are broader than the documented business function requires. As we covered in our earlier OAuth consent phishing case study, this single step closes the same entry vector ShinyHunters has exploited against hundreds of organisations in the past year.
3. Harden Salesforce, Oracle, and enterprise platform configurations specifically
Given ShinyHunters’ documented focus on misconfigured Salesforce Aura instances and Oracle PeopleSoft zero-days, these platforms require specific security review, not just the general SaaS audit. Engage your platform administrators or an external partner to review Salesforce Experience Cloud access configurations, API permissions, connected app settings, and guest user access. Patch Oracle PeopleSoft CVE-2026-35273 if you have not already.
4. Apply least-privilege access to every SaaS integration
Every integration between two systems should have the minimum permissions required for its documented function. A marketing automation tool that connects to your CRM needs read access to specific contact fields. It does not need write access to financial records or administrative access to your user directory. Review every integration’s permission scope. Narrow anything broader than it needs to be.
5. Build an incident response protocol for SaaS-originated breaches specifically
Most incident response plans assume an attacker entered through the network perimeter or an endpoint. A SaaS-originated breach looks completely different. There is no malware to find. No device to isolate. The breach happened entirely inside legitimate cloud infrastructure. Your IR plan needs a specific playbook for this scenario: how to identify which SaaS platform was exploited, how to revoke the specific tokens or integrations involved, how to preserve audit logs from cloud platforms before they expire, and how to notify the Data Protection Board within the required timeline.
6. Enable real-time monitoring of SaaS authentication events
Once sensitive data is leaked, the legal work begins and may last several months while the damage is assessed and people are notified. The organisations that minimise this exposure are the ones that detect anomalous access before significant data leaves the environment. Non-interactive sign-in logs, API access patterns, and unusual data export volumes are the signals that a SaaS-originated breach generates. If nobody is watching those signals in real time, the breach runs until it surfaces through an extortion posting on a dark web site. Prophaze
7. Give your leadership team visibility into the SaaS estate before an attacker maps it for them
Companies need to treat data exposure as an operational risk, not just a privacy issue. That includes limiting how much customer and corporate data is accessible from any one system and validating that vendors and integrations are not creating hidden entry points. Lexology
This is a board-level conversation, not just a technical one. A CTO who cannot tell their CEO which systems hold customer data and which third-party applications have access to those systems cannot govern the organisation’s data risk. FactorX gives leadership the real-time view of technology risk and investment performance that makes this conversation possible, rather than quarterly reports that are already obsolete by the time they are read.
The Pattern That Should Concern Everyone
The Kodak breach is not an isolated incident. It is the most recent data point in a pattern that has been accelerating for twelve months.
ShinyHunters has been steamrolling through the names of hundreds of high-profile corporate victims, most linked to a worldwide campaign exploiting misconfigured Salesforce instances and now expanding into Oracle PeopleSoft zero-days. Big-name brands claimed in June 2026 alone include Kodak, JCPenney, Madison Square Garden, and Sysco, adding to hundreds of victims tied to the group’s broader campaigns. King Stubb & Kasiva
The group has also, according to recent research, built new permanent infrastructure designed to keep stolen data online indefinitely, so that paying a ransom does not guarantee data deletion. Cato Networks notes that ShinyHunters has evolved into a cybercrime brand capable of surviving arrests, infrastructure seizures, and operator turnover. King Stubb & Kasiva
What this means practically is that the extortion model ShinyHunters operates is sustainable. It will continue generating victims as long as enterprises maintain large, connected SaaS estates with unreviewed integrations and unchecked OAuth permissions.
The question is not whether ShinyHunters will find the next misconfigured Salesforce instance. They will. The question is whether it will be yours.
Final Thought
I want to say something about the Kodak name specifically, because it matters for this blog’s audience.
Kodak is not a careless organisation. They have a dedicated cybersecurity function, external forensics experts on speed-dial, and law enforcement relationships that are activated within hours of breach discovery. Their response was fast, professional, and appropriate.
None of that stopped the breach from happening.
Because the gap ShinyHunters exploited was not in their security team’s vigilance or their response capability. It was in the architecture of their connected systems, in an entry point that likely nobody inside the organisation had reviewed recently or considered part of their attack surface.
That is the lesson I want Indian CTOs to carry away from this.
Not that Kodak was careless. The attack surface has changed. The firewall is no longer the boundary. Every SaaS connection, every OAuth grant, every third-party integration is part of the boundary now. And most organisations have never fully mapped that boundary, let alone audited the permissions sitting on every connection within it.
ShinyHunters knows exactly where to look. The question is whether your team does too.
At Skeletos IT Services, we help Indian manufacturers, NBFCs, and financial institutions audit their SaaS estate, review third-party integration permissions, and build the monitoring architecture that catches anomalous access before it becomes a breach. If you want to understand what third-party applications currently have access to your systems and data, we can help you find out. Talk to us here.
