top of page

Luxury and Financial Services - 586,705 breached accounts

  • May 27
  • 2 min read

Key Findings


  • ShinyHunters group conducted two separate "pay or leak" extortion campaigns against major companies in early 2026

  • Mytheresa luxury fashion platform: 84,108 breached accounts containing emails, names, phone numbers, addresses, purchase history, and partial credit card data

  • Ameriprise Financial: 502,597 breached accounts with emails, names, phone numbers, addresses, and employer information from Salesforce and SharePoint systems

  • Both companies had ransom demands that went unmet, resulting in public data releases

  • Ameriprise reported 47,876 directly affected customers; additional exposed contacts were internal staff and operational system users


Background


ShinyHunters is a known cybercriminal extortion group that uses a "pay or leak" business model, stealing sensitive data from companies and threatening to publicly release it unless a ransom is paid. During the first quarter of 2026, the group targeted two high-profile organizations in separate incidents spanning March and April.


Mytheresa Luxury Fashion Breach


Mytheresa, a major e-commerce platform specializing in luxury fashion, fell victim to ShinyHunters in April 2026. After the group's ransom deadline passed without payment, they released the stolen dataset publicly. The breach exposed 84,108 unique email addresses along with associated customer information. The exposed data included customer names, phone numbers, physical addresses, and purchase history. Most concerning for customers was the inclusion of partial credit card details, specifically card type, the last four digits, and expiration dates. While full card numbers were not included, this information could still be valuable for fraudsters attempting further attacks.


Ameriprise Financial Services Breach


Ameriprise Financial faced a more severe breach in March 2026 when ShinyHunters claimed to have stolen over 200 gigabytes of compressed data from the company's systems. The attackers exfiltrated information from Ameriprise's Salesforce environment and internal SharePoint infrastructure before launching their extortion campaign. When negotiations allegedly failed, the group released the data publicly. The published dataset contained 502,597 unique email addresses along with names, phone numbers, physical addresses, and employer information. Ameriprise later disclosed to state attorneys general that 47,876 people were directly affected customers, with the remaining exposed contacts consisting of internal employees and contacts from broader operational systems. In response, the company implemented enhanced account monitoring and strengthened identity verification procedures for affected accounts.


Sources


  • https://haveibeenpwned.com/Breach/Mytheresa

  • https://haveibeenpwned.com/Breach/Ameriprise

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page