Woflow Data Breach: ShinyHunters Exposes 447K Accounts
In March 2026, the AI-driven merchant data platform Woflow was publicly named as a victim by the notorious ShinyHunters data extortion group. This isn’t just another breach; it’s a stark reminder of supply chain risk in the AI era. ShinyHunters didn’t just exfiltrate data; they subsequently published over 2TB of it, comprising tens of thousands of files.
Have I Been Pwned confirms the breach involved 447,593 compromised accounts. The published data is extensive, including hundreds of thousands of email addresses, names, phone numbers, and physical addresses. Crucially, this trove relates not only to Woflow’s direct customers but also, by extension, to the customers of merchants utilizing the Woflow platform. This amplifies the blast radius significantly.
This incident underscores the systemic risk posed by third-party platforms handling sensitive customer data. Attackers like ShinyHunters target these hubs precisely because they offer a concentrated source of valuable information, impacting multiple downstream entities with a single successful compromise. For defenders, this means understanding your entire data supply chain, not just your immediate perimeter.
What This Means For You
- If your organization is a Woflow customer, or if you are a merchant whose services rely on Woflow, assume your data and your customers' data is compromised. Immediately initiate a review of all credentials used across any Woflow-related services. Mandate password resets for any affected accounts and monitor for suspicious activity, especially phishing attempts leveraging this exposed information. This isn't theoretical; the data is out there.
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
ShinyHunters Data Exfiltration via Web Server - Woflow Breach
Written by SCW Research