Kodak confirms data breach as ShinyHunters claims 2.2M records

Key Takeaways

• Kodak confirmed unauthorized access to company data but described it as 'limited' without validating ShinyHunters' claim of 2.2 million stolen records
• ShinyHunters set June 18, 2026 as the deadline before leaking data and escalating attacks
• The same extortion gang has claimed breaches at over 100 organizations in the past week, exploiting vulnerabilities in Salesforce, Snowflake, and Oracle PeopleSoft

Kodak has confirmed that hackers gained access to company data, though the imaging giant disputes the scale of the breach claimed by the ShinyHunters extortion gang. The threat actors say they stole 2.2 million records containing customer personally identifiable information and internal corporate data. Kodak calls it a 'limited amount.'

The Rochester, New York company disclosed the breach after ShinyHunters posted Kodak's name on their dark web leak site with a deadline: pay up by June 18, 2026, or the data goes public. The gang also threatened unspecified 'digital problems' if their demands aren't met.

What did Kodak actually confirm?

Kodak's statement to BleepingComputer acknowledged that 'an unauthorized third party illegally gained temporary access to a limited amount of company data.' The company said it has engaged external cybersecurity experts and is working with law enforcement.

“We are working with law enforcement and are confident there is no threat to our systems or operations. We will share additional updates as appropriate.”

— Kodak spokesperson

The company did not respond when BleepingComputer asked whether attackers had breached Kodak's internal network. That's a critical distinction. Access to a public-facing system differs substantially from penetrating the corporate network where sensitive R&D data, financial records, and the crown jewels of Kodak's 79,000 patents might reside.

Who is ShinyHunters and why does this matter?

ShinyHunters isn't a new player. The group has been linked to security breaches at over a dozen Snowflake customers and hundreds of organizations using Salesforce integrations. They claim to have stolen more than 1.5 billion records through campaigns targeting Salesforce Aura and Salesloft Drift over the past year.

Just one week before the Kodak claim, ShinyHunters announced breaches at over 100 organizations, including the University of Nottingham. That attack chain exploited a zero-day flaw in Oracle's PeopleSoft enterprise software suite. The pattern suggests the group targets third-party integrations and enterprise platforms rather than attacking companies directly.

Cybersecurity community members on forums and HackerNews have noted that ShinyHunters frequently exaggerates leak sizes to pressure victims. The 2.2 million figure should be treated with skepticism until independently verified. However, the group's track record shows they do possess and leak real data. Instructure and the Council of Europe have both dealt with ShinyHunters incidents in recent months.

How did attackers get in?

Kodak hasn't disclosed the attack vector, and ShinyHunters hasn't specified it either. Given the gang's recent campaigns, the most likely scenarios involve compromised third-party software or SaaS integrations. The Oracle PeopleSoft zero-day they exploited elsewhere is one possibility. Credential theft through Salesforce or Snowflake connections is another.

For a company with Kodak's patent portfolio and chemical manufacturing operations, supply chain and B2B customer data would be the most valuable targets. Customer PII matters, but corporate secrets tied to advanced materials research could carry higher value on underground markets.

What happens after June 18?

ShinyHunters' deadline expires on June 18, 2026. If Kodak doesn't pay, the group typically follows through with public data dumps. Some victims have negotiated. Others haven't. Instructure reportedly reached an 'agreement' with the gang to prevent a leak, though terms weren't disclosed.

The gang's threat of 'annoying digital problems' suggests they might escalate beyond data leaks. Past ShinyHunters campaigns have included harassment of employees and, according to forum discussions, even targeting employees' families. That's an unusually aggressive tactic even among extortion groups.

Frequently Asked Questions

Was customer data stolen in the Kodak breach?

ShinyHunters claims they stole customer PII among the 2.2 million records. Kodak has not confirmed what types of data were accessed, describing only a 'limited amount of company data.'

Is Kodak paying the ransom?

Kodak has not disclosed whether it is negotiating with ShinyHunters. The company stated it is working with law enforcement and external cybersecurity experts.

What is ShinyHunters known for?

ShinyHunters is an extortion gang linked to breaches at Snowflake customers, Salesforce integration users, and over 100 organizations exploited through Oracle PeopleSoft vulnerabilities. They claim to have stolen over 1.5 billion records in the past year.

When will Kodak release more details?

Kodak said it will 'share additional updates as appropriate' but provided no timeline. The investigation with external cybersecurity experts is ongoing.

Source: BleepingComputer