What happened
Kodak has confirmed that an unauthorized third party illegally gained temporary access to a limited amount of company data, with the ShinyHunters extortion group claiming responsibility on its dark web leak site. The company is working with external cybersecurity experts and law enforcement to investigate what data was accessed and copied, and stated it is confident there is no threat to its systems or operations.
ShinyHunters claimed to have stolen over 2.2 million records containing customer PII and internal corporate data, setting a June 18, 2026 deadline for Kodak to make contact before threatening to leak the data and pursue additional disruptive actions. Kodak has not disclosed how the attackers gained access or confirmed the volume of data claimed by ShinyHunters. The gap between Kodak’s characterization of a limited amount of data and the attacker’s claim of 2.2 million records has not been resolved.
The breach fits ShinyHunters’ documented pattern of targeting Salesforce environments, SaaS integrations, and cloud infrastructure. The group has claimed attacks against hundreds of Salesforce customers over the past year, asserting theft of over 1.5 billion records across Salesforce Aura and Salesloft Drift campaigns. One week ago, ShinyHunters also claimed responsibility for breaches at over 100 organizations including the University of Nottingham following exploitation of a zero-day flaw in Oracle’s PeopleSoft enterprise software suite.
Who is affected
The scope of customer impact is unconfirmed pending investigation. ShinyHunters’ claim of 2.2 million records containing customer PII represents the upper bound of potential exposure, though Kodak’s characterization of limited data access suggests the actual scope may differ. Kodak operates across commercial print, advanced materials, and chemical products sectors with a global customer base.
Why CISOs should care
The Kodak breach adds another major brand to ShinyHunters’ accelerating 2026 campaign, which has now touched Charter Communications, 7-Eleven, Medtronic, Vimeo, Instructure, ADT, Vercel, and dozens of other organizations within a compressed timeframe. The group’s concurrent Oracle PeopleSoft zero-day campaign targeting over 100 organizations simultaneously illustrates that ShinyHunters is operating multiple parallel attack tracks rather than sequential individual targets. For security leaders, the relevant question is no longer whether ShinyHunters will target organizations in their sector but whether their Salesforce, Oracle, and cloud SaaS environments are adequately hardened against the access vectors this group consistently exploits.
3 practical actions
- Audit Salesforce, Oracle PeopleSoft, and connected SaaS environments for the access vectors ShinyHunters consistently exploits: The group’s documented methods include compromised credentials, OAuth token abuse, misconfigured third-party integrations, and now a PeopleSoft zero-day. Review MFA enforcement, OAuth application permissions, and integration security across all enterprise SaaS platforms as a priority given the active and broadening campaign.
- Monitor ShinyHunters’ leak site for the June 18 Kodak deadline and prepare for potential data publication: If ShinyHunters publishes the alleged Kodak dataset, organizations whose employees or customers have relationships with Kodak’s commercial print or enterprise services should prepare for targeted phishing using that data. Establish monitoring and communication protocols ahead of the deadline.
- Treat ShinyHunters’ as-a-service model as a persistent organizational risk category: The group operates across multiple concurrent campaigns using shared infrastructure and techniques. A single vendor’s breach can expose your organization’s data as a downstream customer or partner. Map your supply chain and vendor relationships against ShinyHunters’ confirmed victim list and assess indirect exposure.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.