Kodak just confirmed what a lot of us suspected the moment we saw the ShinyHunters leak site light up: the company's been breached. An unauthorized third party got temporary access to a limited amount of company data, according to the statement Kodak pushed out. They've brought in outside cybersecurity experts to figure out exactly what was touched, and they're working with law enforcement. The spokesperson said the company is "confident that there is no threat to our systems or operations" — which, honestly, is the kind of line you read twice before deciding whether to believe it.
What's notable here isn't just that Kodak got hit. It's who claims responsibility. ShinyHunters — the extortion group that's been systematically picking through enterprise cloud applications all year — says it walked away with over 2.2 million records. Customer PII. Internal corporate data. And they've set a final warning deadline of June 18, 2026 before the whole thing hits the public internet.
What Kodak Is Saying
Kodak's official statement is measured, which makes sense when you're still in the middle of an investigation and don't want to accidentally admit to something you haven't confirmed. The company says an unauthorized third party "illegally gained temporary access to a limited amount of company data." They've engaged external cybersecurity experts to support the investigation into what data was accessed and copied. Law enforcement is involved.
Here's where it gets interesting: Kodak's spokesperson did not confirm whether the internal network was actually breached. That silence is either careful legal positioning or an admission that they don't fully know yet. Either way, it's a reminder that public statements from incident victims are often written by lawyers as much as by security teams.
The company says it's confident there's no threat to systems or operations. We'll see if that holds up when — or if — the data actually gets published.
The ShinyHunters Claim
ShinyHunters posted their claim on their dark web leak site, alleging they stole over 2.2 million records from Kodak. The data reportedly includes customer personally identifiable information and internal corporate documents. They've set June 18, 2026 as the final warning deadline before publishing.
Kodak has not yet publicly attributed the breach to ShinyHunters specifically, though the timing and details line up closely enough that most observers are connecting the dots. The group typically posts proof of data — sample files, database dumps, internal documents that only an insider or someone with deep access would have. When you see that kind of specificity, it's usually real.
The 2.2 million figure is significant. For a company the size of Kodak, that's a substantial portion of their customer base and internal operations data. If even a fraction of that hits the public internet, the downstream consequences — identity theft, corporate espionage, regulatory scrutiny — could be severe.
Who Is ShinyHunters?
ShinyHunters isn't a new name in this space. The financially motivated threat group has been active since at least 2019, operating under the persona "ShinyCorp." According to the FBI's Internet Crime Complaint Center, they specialize in large-scale data breaches and extortion targeting technology companies, financial institutions, and retail organizations.
The FBI's public service announcement from May 2026 paints a disturbing picture. ShinyHunters doesn't just steal data and move on. They use harassment tactics — threatening texts and calls to victims and their family members, even swatting. They've deployed AI-enabled voice phishing through platforms like Bland AI and Vapi, and they're collaborating with Scattered Spider on operations. Their leader, ShinyCorp, is reportedly selling stolen datasets for over $1 million per company through Telegram.
EclecticIQ's analysis adds more detail. The group has made claims against hundreds of Salesforce customers, with over 1.5 billion records stolen through compromises of Salesforce Aura and Salesloft Drift. They're linked to breaches at over a dozen Snowflake customers and various third-party integration providers. Most recently, they claimed more than 100 organizational breaches exploiting an Oracle PeopleSoft zero-day vulnerability.
They're also developing "shinysp1d3r," a ransomware-as-a-service targeting VMware ESXi, and they actively hunt for high-privilege engineering accounts on Git, BrowserStack, and JFrog for supply chain attacks. This isn't a group that picks low-hanging fruit. They're methodical, well-funded, and increasingly sophisticated.
The Bigger Picture
Kodak didn't get hit in a vacuum. ShinyHunters has been running what can only be described as an industrial-scale campaign against enterprise cloud applications, and they're just getting started.
The Salesforce angle is particularly chilling. By compromising the Aura platform and Salesloft Drift integrations, ShinyHunters can potentially access hundreds of organizations through a single foothold. That's the beauty — and terror — of supply chain-adjacent attacks: you don't need to breach each target individually when you can get into the tools they all use.
The Snowflake breaches follow a similar pattern. Cloud data warehouses are essentially the modern equivalent of the company's central filing cabinet. When you get into one, you're looking at structured data from multiple departments, possibly multiple years. And the Oracle PeopleSoft zero-day campaign? That's a reminder that even legacy enterprise software isn't safe when attackers are this persistent.
What makes ShinyHunters different from most extortion groups is the scale and the speed. They're not spending months inside a network before making contact. They're finding vulnerabilities, exfiltrating data, and posting claims in a matter of weeks. The June 18 deadline for Kodak isn't some distant threat — it's next week.
What Happens Next
The clock is ticking. ShinyHunters has set June 18, 2026 as their final warning deadline. If Kodak doesn't pay — and most companies don't, at least not publicly — the 2.2 million records go live on the dark web.
For Kodak, the immediate priorities are clear: finish the forensic investigation, determine the full scope of the breach, notify affected individuals, and prepare for what will likely be a regulatory inquiry. The fact that they've already engaged external experts and involved law enforcement suggests they're taking this seriously, but the timeline is tight.
For the broader market, Kodak's situation is a case study in why cloud security posture matters more than ever. ShinyHunters isn't targeting Kodak because they're Kodak. They're targeting organizations that use the same cloud platforms — Salesforce, Snowflake, Oracle PeopleSoft — that thousands of other companies rely on. Every unpatched vulnerability, every weak integration credential, every overprivileged service account is a potential doorway.
The FBI and EclecticIQ both emphasize that ShinyHunters is actively recruiting and expanding. New tools like shinysp1d3r ransomware-as-a-service suggest they're planning to layer encryption attacks on top of their existing data theft operations. If that happens, we're looking at a double-extortion model where victims can't just restore from backups.
Kodak's breach won't be the last one. It'll be one of many this year, and probably next year too. The question for every security team reading this is simple: when ShinyHunters comes for you, will you have the same answer Kodak just gave? "We're confident there's no threat to our systems or operations." Or will you have something more concrete?