Overview

ShinyHunters, a notorious data-extortion group, has been confirmed as the threat actor behind the recent massive breaches of Pornhub and SoundCloud. This campaign was executed not through direct compromise of the victims’ core infrastructure, but via a supply chain attack targeting Mixpanel, a widely used third-party analytics provider.

Crucially, recent intelligence links ShinyHunters’ current operations to “The Com” (or “The Comm”), a violent, chaotic ecosystem of young cybercriminals that overlaps with groups like Scattered Spider and Lapsus$. This affiliation signals a shift towards more aggressive, high-visibility extortion tactics.

The Attack Vector: Mixpanel Supply Chain Compromise

The breach did not exploit a zero-day vulnerability but relied on identity-based attacks targeting the supply chain.

1. Initial Access (Smishing)

• Method: The attack chain began with a targeted SMS Phishing (Smishing) campaign directed at Mixpanel employees.
• Objective: To harvest valid credentials and Multi-Factor Authentication (MFA) tokens (likely via AitM – Adversary-in-the-Middle kits).
• Result: The threat actors successfully compromised an employee account, gaining legitimate access to Mixpanel’s internal support and data management dashboards.

2. Lateral Movement & Exfiltration

• Legitimate Features Abuse: Once inside, ShinyHunters utilized standard administrative features designed for debugging and data export.
• Data Access: They queried specific customer environments (Pornhub, SoundCloud, and potentially OpenAI) to extract large datasets of user activity logs.
• Volume: The group claims to have exfiltrated over 94GB of data, comprising nearly 200 million records.

Victimology & Impact

Pornhub (Premium Users)

• Target Data: The breach specifically targeted historical analytics data (dating back to pre-2021).
• Exfiltrated Fields:
  • User Email Addresses
  • Geo-location data
  • Search History & Viewing Habits (Video URLs, keywords, watch times)
• Risk: High potential for “sextortion” and reputational damage to users.

SoundCloud

• Target Data: User analytics and profile data.
• Impact: Approximately 20% of SoundCloud’s user base is affected. The data includes email addresses and device information associated with user profiles.

The “Com” Connection

This campaign highlights the integration of ShinyHunters into “The Com,” a loose collective of English-speaking cybercriminals (often minors or young adults) known for extreme aggression.

• Structure: Unlike traditional organized crime (e.g., Russian RaaS), The Com is decentralized, organizing in Telegram and Discord channels.
• Tactics: They combine high-level technical skills (SIM swapping, cloud intrusion) with physical threats (“swatting,” violence-as-a-service).
• Evolution: ShinyHunters has evolved from a silent data-theft group into a key supplier for The Com, providing the stolen data that fuels the ecosystem’s extortion schemes.

Indicators of Compromise (IOCs)

Behavioral Indicators (SaaS/Cloud)

• Anomalous Exports: Large-scale data exports from third-party analytics dashboards (e.g., Mixpanel, Salesforce, Snowflake) initiated by support or “break-glass” accounts.
• Unusual Geolocation: Logins to SaaS administrative consoles from residential IP addresses or unexpected VPN nodes.
• Session Hijacking: Concurrent sessions or bypassing of MFA hardware token requirements.

Network Artifacts (Smishing)

• Domains: Look-alike domains impersonating corporate SSO portals (e.g., okta-support[.]com, mixpanel-login-auth[.]com).
• User Agents: Traffic from mobile user agents (iOS/Android) accessing internal administrative portals at unusual hours.

Mitigation Strategies

• Supply Chain Audit: Review data retention policies with third-party vendors. Ensure vendors like Mixpanel do not retain sensitive PII/history longer than necessary (Pornhub ceased using Mixpanel in 2021, yet data remained accessible).
• Identity Defense: Enforce FIDO2/WebAuthn (hardware keys) for all administrative access to prevent successful phishing/smishing.