April 8, 2026 eBuilder signs an agreement for MDR/SOC with a hotel business.

March 13, 2026 eBuilder signs an agreement for SOC-operations with a Swedish municipality.

March 2, 2026 Large international steel company chooses eBuilders Complorer for cybersecurity training.

March 2, 2026 Large international steel company chooses eBuilder as supplier for Penetration testing.

March 2, 2026 A communications/branding agency chooses eBuilders Complorer for cybersecurity training.

February 13, 2026 eBuilder Security signs an agreement for continuous pen testing with a Swedish AI-company.

February 11, 2026 eBuilder Security sells Complorer Security Awareness training to a Swedish unemployment insurance fund.

January 30, 2026 eBuilder sigs an agreement with a Swedish municipality for MDR/SOC.

April 8, 2026 eBuilder signs an agreement for MDR/SOC with a hotel business.

March 13, 2026 eBuilder signs an agreement for SOC-operations with a Swedish municipality.

March 2, 2026 Large international steel company chooses eBuilders Complorer for cybersecurity training.

March 2, 2026 Large international steel company chooses eBuilder as supplier for Penetration testing.

March 2, 2026 A communications/branding agency chooses eBuilders Complorer for cybersecurity training.

February 13, 2026 eBuilder Security signs an agreement for continuous pen testing with a Swedish AI-company.

February 11, 2026 eBuilder Security sells Complorer Security Awareness training to a Swedish unemployment insurance fund.

January 30, 2026 eBuilder sigs an agreement with a Swedish municipality for MDR/SOC.

Company News

Data Breaches

ShinyHunters Claims Udemy, Zara and 7-Eleven in Latest Extortion Wave

Blog Reading Time

3 Min Read / April 28, 2026

ShinyHunters claimed to have stolen 1.4 million records from online learning platform Udemy and has threatened to release the data alongside stolen information from Zara and 7-Eleven. The cybercriminal group listed all three companies on its dark web extortion site between April 21 and 27, 2026 demanding ransoms to prevent public leaks of customer data and internal corporate information.

According to Cybernews, the group published its Udemy dataset on April 27 after the company failed to meet its ransom deadline. The leaked records allegedly contain personally identifiable information and internal corporate data, though Udemy has not publicly confirmed the breach. None of the three targeted companies have acknowledged the attacks at the time of publication.

The Salesforce Connection

ShinyHunters claims it accessed 7-Eleven through the convenience store chain’s Salesforce environment continuing a pattern observed across the group’s recent campaigns. The gang alleges it obtained over 600,000 Salesforce records containing customer information and internal business data. This aligns with Google’s Threat Intelligence Group assessment that ShinyHunters has been systematically targeting organisations’ Customer Relationship Management platforms through voice phishing campaigns.

Zara’s compromise appears linked to the Anodot-Snowflake incident chain that has affected multiple organisations this year. TechRadar reported that ShinyHunters gained access to Zara through a third-party connection rather than direct infiltration of the Spanish retailer’s own systems. Inditex, Zara’s parent company, previously confirmed identifying unauthorised access to its databases without directly naming the attack vector.

Operating Despite French Arrests

The latest wave of attacks demonstrates ShinyHunters’ continued operations despite significant law enforcement action. French authorities arrested four alleged members of the group on June 23, 2025 in a coordinated operation across multiple regions. The arrests targeted individuals using the aliases ShinyHunters, Hollow, Noct and Depressed, according to Infosecurity Magazine and The Record.

The current claims against Udemy, Zara and 7-Eleven suggest either that the June arrests did not capture the group’s core operational capability or that other actors have assumed the ShinyHunters identity. The French arrests followed months of international law enforcement pressure including the February 2025 arrest of Kai West, the British national behind the IntelBroker persona who had administered the BreachForums marketplace.

This is the group’s standard playbook. Target third-party services that hold data for multiple organisations, then extort each affected company individually. It worked with their Salesforce campaigns throughout 2025 and they are applying the same approach to cloud analytics platforms and data integration services.

The Three-Platform Strategy

ShinyHunters has moved beyond traditional network intrusions to focus on high-value cloud services that aggregate data from multiple sources. The Udemy, Zara and 7-Eleven claims fit this pattern perfectly. Each represents a different entry point into customer databases from e-learning platforms to retail systems and third-party integrations.

Cybernews noted that the group has abandoned encryption-based ransomware entirely focusing solely on data exfiltration for extortion. This model requires less technical infrastructure to maintain while generating comparable returns. The group reportedly listed more than 40 organizations on its leak site as of April 2026 claiming access to tens of millions of records across multiple industries.

For companies using Salesforce, Snowflake or similar cloud platforms, ShinyHunters represents the supply chain risk that security teams struggle to quantify. When one platform falls, every connected organisation becomes a potential target.

References

This post is also available in: Svenska