ZenBusiness Breach: ShinyHunters Exfiltrates 5M Records from Snowflake, Mixpanel, Salesforce

/HIGH
Written by SCW Research Research & Analysis
SCW data-breachransomwaretools
ZenBusiness Breach: ShinyHunters Exfiltrates 5M Records from Snowflake, Mixpanel, Salesforce

In March 2026, the hacker and extortion group ShinyHunters claimed a significant data exfiltration from ZenBusiness, a business formation and compliance platform. The group asserted the data was pulled from integrated platforms including Snowflake, Mixpanel, and Salesforce. ShinyHunters initially threatened to publish the data if a ransom was not paid, subsequently releasing it publicly the following month after claiming non-payment.

The released collection spans many terabytes across thousands of files, originating from multiple systems and business functions. Have I Been Pwned confirms this includes leads, support records, and other CRM-related data. The breach exposed approximately 5 million unique email addresses, often accompanied by names and phone numbers, depending on the source file within the exfiltrated data.

This incident highlights the pervasive risk of third-party platform compromise and supply chain attacks. When core business data resides across multiple vendors, the attack surface expands dramatically. Defenders must recognize that a breach at a service provider like Snowflake, Mixpanel, or Salesforce can directly translate to a breach for their organization, even if their own perimeter remains uncompromised.

What This Means For You

  • If your organization uses ZenBusiness, assume your data is compromised. Immediately notify affected users and advise them to be highly vigilant for phishing attempts and social engineering, as their email, name, and phone number are now public. Review your own third-party vendor security posture, especially for platforms like Snowflake, Mixpanel, and Salesforce, regardless of whether you use ZenBusiness. This is a stark reminder that your data's security is only as strong as your weakest vendor's.

๐Ÿ›ก๏ธ Detection Rules

3 rules ยท 6 SIEM formats

3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free โ€” export to any SIEM format via the Intel Bot.

critical T1041 Exfiltration

ZenBusiness Data Exfiltration via Compromised Third-Party Platforms

Sigma YAML โ€” free preview

Source: Shimi's Cyber World ยท License & reuse

โœ“ Sigma ยท Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM โ†’

Written by SCW Research

Take action on this incident
๐Ÿ“ก Monitor zenbusiness.com Free ยท 1 watchlist slot ยท instant alerts on new breaches ๐Ÿ” Threat intel on ZenBusiness All breaches, IOCs & vendor exposure

Related coverage on ZenBusiness

Scattered Spider Arrest, OFAC Hits Iran Crypto, NSA Tool Vulnerability

SecurityWeek reports several critical developments that defenders should track. The arrest of a Scattered Spider hacker is a significant win, but this group remains a...

threat-intelvulnerabilitydata-breachmicrosofttools
/SCW Vulnerability Desk /HIGH /⚑ 1 IOC

Incident Responders Sentenced for Covert Ransomware Attacks

Two cybersecurity incident responders have been sentenced to four years in prison for exploiting their positions to execute covert ransomware attacks, according to The Record...

threat-inteldata-breachgovernmentmalwareransomware
/SCW Research /MEDIUM

Microsoft Windows 11 KB5083631 Update: 34 Changes and Fixes

Microsoft has rolled out the optional cumulative update KB5083631 for Windows 11, delivering 34 changes and fixes. BleepingComputer reports that the update includes a new...

threat-inteldata-breachmalwaremicrosofttools
/SCW Research /MEDIUM