Luxury and Financial Services - 586,705 breached accounts
- May 27
- 2 min read
Key Findings
ShinyHunters group conducted two separate "pay or leak" extortion campaigns against major companies in early 2026
Mytheresa luxury fashion platform: 84,108 breached accounts containing emails, names, phone numbers, addresses, purchase history, and partial credit card data
Ameriprise Financial: 502,597 breached accounts with emails, names, phone numbers, addresses, and employer information from Salesforce and SharePoint systems
Both companies had ransom demands that went unmet, resulting in public data releases
Ameriprise reported 47,876 directly affected customers; additional exposed contacts were internal staff and operational system users
Background
ShinyHunters is a known cybercriminal extortion group that uses a "pay or leak" business model, stealing sensitive data from companies and threatening to publicly release it unless a ransom is paid. During the first quarter of 2026, the group targeted two high-profile organizations in separate incidents spanning March and April.
Mytheresa Luxury Fashion Breach
Mytheresa, a major e-commerce platform specializing in luxury fashion, fell victim to ShinyHunters in April 2026. After the group's ransom deadline passed without payment, they released the stolen dataset publicly. The breach exposed 84,108 unique email addresses along with associated customer information. The exposed data included customer names, phone numbers, physical addresses, and purchase history. Most concerning for customers was the inclusion of partial credit card details, specifically card type, the last four digits, and expiration dates. While full card numbers were not included, this information could still be valuable for fraudsters attempting further attacks.
Ameriprise Financial Services Breach
Ameriprise Financial faced a more severe breach in March 2026 when ShinyHunters claimed to have stolen over 200 gigabytes of compressed data from the company's systems. The attackers exfiltrated information from Ameriprise's Salesforce environment and internal SharePoint infrastructure before launching their extortion campaign. When negotiations allegedly failed, the group released the data publicly. The published dataset contained 502,597 unique email addresses along with names, phone numbers, physical addresses, and employer information. Ameriprise later disclosed to state attorneys general that 47,876 people were directly affected customers, with the remaining exposed contacts consisting of internal employees and contacts from broader operational systems. In response, the company implemented enhanced account monitoring and strengthened identity verification procedures for affected accounts.
Sources
https://haveibeenpwned.com/Breach/Mytheresa
https://haveibeenpwned.com/Breach/Ameriprise

Comments