Those readers who aren’t A-listers (including yours truly) may never have heard of Kering, but you may have heard of their high-end fashion brands: Gucci. Yves Saint Laurent. Bottega Veneta. Balenciaga. Alexander McQueen. Brioni. It is some of those fashion brands that are the subject of this post as they fell prey to attacks by ShinyHunters. As far as DataBreaches.net can determine, Kering has yet to publicly acknowledge either of two attacks or to notify customers.
Kering Recognized the Risk
Kering is not the first high-end fashion retailer to fall prey to attacks by ShinyHunters. The media has already reported breaches affecting Louis Vuitton, Dior, Tiffany and Chanel. But unlike those incidents, the Kering incidents have not been previously publicly revealed.
In July, reportedly months after data was exfiltrated and while they remained publicly silent, Kering issued a policy that they posted on their website: Kering Global Information Security Policy 2025. It states, in part:
Kering considers Information to be one of its most valuable assets. It is a key factor of the Group’s growth and customers’ trust.
As such, Information (in particular as collected in numerical form and processed in Kering Information System) together with the Information System that is used to process it and provides Kering Group with services that are vital for its activities, need to be adequately protected against increasing Threats both internal and external to Kering such as, without limitation, logical intrusions, information theft, sabotage, Social Engineering, cyber terrorism.
Protecting Information means ensuring the confidentiality, integrity and availability of the Information.
If Information is lost, stolen, inappropriately disclosed, destroyed, modified, serious consequences may result for Kering such as:
• Loss of customers’ trust (in particular following a personal data breach or the unavailability of sales and/or payment services.
• Loss of competitive advantage (e.g. in the event of theft and disclosure of know-how and trade secret);
• Loss of revenue (in case of unavailability of key components generating value (e-commerce websites, payment services…).
The .pdf file has a creation date of July 24, 2025.
Loss of trust and loss of revenue are clear risks, as Kering seemingly acknowledged. So what did they do when they experienced not one, but two, breaches involving more than 50 million records?
What happened? And what has Kering done in response?
The Gucci Breach
According to ShinyHunters, Gucci was breached in 2024, using the methods associated with the Salesforce attacks.
From a sample of more than 900 records provided to DataBreaches, the Gucci data included the following fields (DataBreaches has redacted the actual customer data):
{‘TotalSales__’: xxxxxxxxxxxxx, ‘Name’: ‘xxxxxxxxxxxxx’, ‘AgeRange__’: ‘xxxxxxxxxxxxx’, ‘BirthdateDDMM’: ‘xxxxxxxxxxxxx’, ‘PersonEmails’: “[‘xxxxxxxxxxxxx’, xxxxxxxxxxxxx]”, ‘MobilePhone__’: ‘[xxxxxxxxxxxxx]’, ‘LineAddress__’: ‘[xxxxxxxxxxxxx]’, ‘Identifier’: ‘xxxxxxxxxxxxx’, ‘CreatedDate’: ‘xxxxxxxxxxxxx”, ‘PreferredLanguage__’:xxxxxxxxxxxxx}
The customer data indicates that customer data from customers in various countries was all stored in the same database. The “CreatedDate” in the sample ranged from dates in the fourth quarter of 2017 up to early April of 2024.
According to a statement by ShinyHunters, the full Gucci data set reportedly consists of 43,483,137 records, but DataBreaches does not know how many unique customers that represents.
When did Gucci or Kering first discover this breach, and how did they first discover it? Kering has yet to disclose that. How many Gucci customers were affected? How many have been notified? Kering has yet to disclose that, either. Kering does not appear to have even confirmed or acknowledged any breach.
The Second Breach: Balenciaga, Brioni, and Alexander McQueen
ShinyHunters also hit other Kering high-end retailers.
From a second sample with more than 900 records provided to DataBreaches, the Balenciaga, Brioni, and Alexander McQueen data contained the following fields:
{“attributes”: {“type”: “Account”, “url”: “”}, “Brand”: xxxxxxxxxxxxx, “TotalSales”: xxxxxxxxxxxxx, “Email”: “xxxxxxxxxxxxx”, “PersonMobilePhone”: “+1xxxxxxxxxxxxx”, “FirstName”: “xxxxxxxxxxxxx”, “LastName”: “xxxxxxxxxxxxx”, “BirthdateDDMM”: “xxxxxxxxxxxxx”, “YearOfBirthYYYY”: “xxxxxxxxxxxxx”, “LineAddress1”: xxxxxxxxxxxxx, “City”: “xxxxxxxxxxxxx”, “State”: “xxxxxxxxxxxxx”, “Country”: “xxxxxxxxxxxxx”, “CreatedDate”: “”CreatedDate”: “xxxxxxxxxxxxx”}
The record creation dates in the sample were from 2017, but from statements made by ShinyHunters during negotiations with Balenciagga, there was also more recent customer data from 2024. Customer data from customers of all three brands and from various countries was all stored in the same database.
The data set for Balenciaga, Brioni, and Alexander McQueen has a total of 12,924,814 records. DataBreaches does not know how many unique customers that number represents.
When did Balenciagga, Brioni, Alexander McQueen or Kering first discover this breach, and how did they first discover it? Kering has yet to disclose that. How many customers were affected? How many have been notified? Kering has yet to disclose that, either.
Balenciaga Negotiates, But Then ReNegs — What Happened?
ShinyHunters appears to have reached out to Balenciaga in early June of 2025, but Balenciaga did not show up in the negotiations chat until June 20, 2025. When Balenciaga did not follow through on their promises to pay after more than two months of promises and negotiations, ShinyHunters shared sample data and the full negotiation chat log with DataBreaches.net.
Of note, the trajectory of the negotiations appeared to shift on June 25. Was that because French law enforcement announced the arrest of four people allegedly involved in ShinyHunters? Did Balenciaga believe that with ShinyHunters arrested, whoever was contacting them was a fake ShinyHunters? Was law enforcement privately advising Balenciaga? If there were any communications, was law enforcement telling Balenciaga the truth about who it did — and who it did NOT — arrest?
DataBreaches is providing excerpts below with date stamps so that readers can consider whether Balenciaga may have been influenced by — or relied upon — law enforcement statements, all to the ultimate detriment of its customers, or whether it was just stringing ShinyHunters along to delay the leak of their customer data.
June 20, 2025:
“User” showed up in the chat and identified themself as the safety manager for Balenciaga. They stated that they were authorized to conduct negotiations. The negotiations shifted to French language at ShinyHunters’ offer to make it easier for Balenciaga’s negotiator. The quotes below are the result of machine translation.
[04:07:17] User: the question is how to be sure that if we pay you will not disclose the information
[04:07:51] User: my hierarchy needs to be reassured
[04:11:26] shinycorp: As stated earlier, this is our job. We have worked with many Fortune 500 companies as well as with foreign companies, and we have always negotiated successful agreements with each of them. We keep our word; our success in negotiations with so many other companies is based precisely on our reputation for respecting our commitments. However, if you choose not to pay, then it would become in our interest to attack you.
[…]
[04:56:03] User: As I told you earlier, my hierarchy is not against making a payment however the sum of 10 BTC is way too high. It will be necessary to consider reducing your price if you want me to be able to convince my hierarchy to pay
[05:10:59] shinycorp: Yes.
[05:10:59] shinycorp: Regarding the payment, honestly, considering the excessive time you took (more than two weeks) before contacting us, we had seriously considered increasing the ransom to 20 bitcoins. However, in the interest of quickly resolving this problem and avoiding an escalation, we are ready to reduce our request to 750,000 euros in bitcoins. You are a company valued at $36.9 billion. If we disclosed your data, the costs that you would incur would be at least ten times higher than what we are currently asking for, in particular because of the victims’ class actions, regulatory investigations and potential sanctions amounting to several million, or even hundreds of millions of dollars. The GDPR is not to be taken lightly.
The cost of immediate compliance is a fraction of what you would spend on penalties, legal fees and loss of business. GDPR fines alone can reach up to 4% of your global turnover, an amount much higher than our current demand. Paying now is not only cheaper: it would be your smartest decision.
[05:26:32] User: That’s your point of view. The payment of a ransom also encourages other cybercriminals to want to attack us
[05:27:29] User: The higher the security, the more likely we are to be attacked from a point of view of my hierarchy.
[05:48:33] User: I’m checking with my hierarchy if he agrees to pay at this price. I’ll be back to you in the middle of the afternoon.
[05:49:18] shinycorp: Okay, we’re looking forward to your return.
[08:49:35] User: I saw with my hierarchy. They are ready to pay for the sums you wish. However, the amount of the ransom requires that the operation be validated by the financial department at a high hierarchical level. The only person who can proceed to the validation will only be available from Monday.
[08:50:06] User: Please be patient and you will get your money.
[08:52:26] shinycorp: Hello, we are glad to have reached an agreement. Once the payment has been received from our side, the proof of deletion will be sent to you within 24 hours of receipt of the funds.
So as of June 20, Balenciaga had agreed to pay 750,000 Euros in BTC. The next communication was on June 23:
June 23, 2025:
[…]
[04:29:53] User: We should be able to make the payment in the afternoon
[04:31:53] shinycorp: Hello, you can send the payment to the address indicated in the email or to the one we transmitted above.
[04:32:11] User: Understand that from a legal point of view it is complicated to buy crypto-assets. this is the reason why we put in the time
[04:33:43] User: It’s noted. I hope I can settle this transaction.
[04:33:57] shinycorp: We understand, no worries. The payment will be made this afternoon, 100%? We just want a confirmation in order to prepare the items that we have promised to provide once the payment has been made.
[04:35:03] User: The transaction will certainly be done in two steps. A small transfer with to be sure that the operation is complete and then once confirmed the entire ransom.
[04:35:50] shinycorp: Understood. Notify us as soon as the test payment has been sent so that we can confirm receipt.
[09:18:19] User: Are you logged in?
[09:18:40] shinycorp: Yes
[09:19:30] User: We will be able to proceed with the purchase of crypto assets
[09:20:32] User: However we have a question, it has been found no compromise in recent days in our data system
[09:21:00] User: Can you tell us when the data you have is from?
[09:21:56] shinycorp: Data was stolen from your network on April 23rd.
[09:22:10] User: April 23rd of this year?
[09:22:18] shinycorp: Yes
[09:24:10] User: Our hierarchy would like to know the method used for the compromise in order to secure our system?
[09:25:28] shinycorp: As we said, once the payment is made, a full security report will be provided to you. Before confirming the payment to us, it was your responsibility to be diligent by reviewing and verifying the data.
[09:28:48] User: As a token of good faith, can you send us the security report before the ransom is paid?
[09:30:33] shinycorp: Sorry, but that’s not something you can negotiate. As a gesture of good faith, we can explain to you how we accessed the data. Once the payment has been made, a detailed security report as well as the other agreed elements will be given to you.
[09:53:28] shinycorp: We have accessed your Salesforce CRM. The Google Threat Intelligence group has published an article about us (“ShinyHunters”) regarding our campaign, which you can read here :
https://www.bleepingcomputer.com/news/security/google-hackers-target-salesforce-accounts-in-data-extortion-attacks/
https://cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion
That’s all we can say before the payment is made.
[10:21:39] User: We will still proceed with the ransom payment
[10:22:24] User: At first, we send you 50€
[10:23:00] User: Have you received the funds?
[10:37:53] User: We are waiting for a response from you
[13:13:24] shinycorp: No, we haven’t received any funds.
So on June 23, Balenciaga claimed it sent the 50 euros test payment, but ShinyHunters stated it did not receive it.
On June 23, French law enforcement arrested four people it would later claim were part of ShinyHunters, including the head of ShinyHunters. Did Balenciaga know about the arrests? When did they find out about the arrests?
June 24, 2025:
[03:25:06] User: Why did it take so long to reply to us?
[03:25:44] User: The management was very worried and now doubts your good faith
[03:29:12] shinycorp: Hello
[03:30:23] shinycorp: We understand, it only took us 2 hours to respond. We have a life too, and we apologize. You said you sent €50, but we didn’t receive it.
[03:31:45] shinycorp: Two hours is absolutely not “long”. We are acting in good faith, but we have the feeling that you are saving time. Don’t be in the opposition, it’s not in your interest. You promised a payment yesterday afternoon. Don’t make promises that you can’t keep.
[03:33:50] shinycorp: You kept logging in and out. Don’t talk about our so-called slowness to respond to you when it took you more than two weeks to contact us.
[03:37:02] shinycorp: We told you which software we used in your network to exfiltrate the data, as a gesture of good faith, and then you lied about sending the test payment. If anyone has to doubt the other person’s good faith, it’s us.
[03:41:48] User: For the transaction, I am surprised that you have received nothing. I asked the financial department to inquire. It must be said that accountants are not aware of crypto assets
[03:42:23] User: Why would you want us to save time? Time will not change anything in our business.
[03:42:51] User: I warned you, the larger the ransom, the more complicated the process will be
[03:44:52] shinycorp: We hope you’re not trying to save time. We are ready to show patience and work with you to resolve this matter. We have agreed on 750,000 euros in Bitcoin, to be sent to the address we provided in the e-mail or to the one communicated in our exchanges above. Either of these addresses works: if the payment is sent there, we will receive it. Regarding yesterday’s test payment, we have not received it.
[03:50:05] User: I’m waiting for the financial department to come back to have an explanation.
[09:13:53] User: How do you explain that our IT department did not find any compromise in April 2025?
[09:18:46] shinycorp: I think you should question your incompetence. We know what we have, we know that we have data belonging to Balenciaga. Otherwise, we probably wouldn’t be chatting right now.
We told you that we compromised your Salesforce CRM around April 2025, according to our memories. Otherwise, check the accesses prior to April 2025.
It is not up to us to explain to you how to conduct your incident response. Before contacting us and even promising a settlement, you should have checked the data. As indicated in the email, we are willing to provide other samples to confirm the legitimacy of the data. We have sent you this download link in our emails :
https://limewire.com/d/kT2EW#xEOlDc5RXc
We see that this link has been downloaded twice.
[09:20:37] shinycorp: If this is an attempt to drag things out, again, it’s not in your best interest. *
[09:23:58] User: The data that you have transmitted to us is indeed our customer data but it has been found that there have been no compromises for more than a year. The IT department wonders about the age of the data [09:24:15] User: At 750K€ the question is more than legitimate?
Did Balenciaga know about a breach more than one year ago? If so, what did they do in response? Or did they first discover a breach that was more than a year old when they went searching after ShinyHunters reached out to them?
[09:26:29] shinycorp: You should have worded your question better. In our defense, we retrieved this data in April 2025. We can send you the last 10,000 rows of our dataset in order to determine the age of the information. [09:27:50] shinycorp: Here are the last 10,000 rows of the dataset: https://limewire.com/d/rQbb1#N8aeN0nn43
[09:28:45] User: I am passing the information to the IT department
[10:05:46] shinycorp: We decided to conduct an additional check on our side, in order to make sure that we are not in error, since we are acting in good faith. Details on the chronology of the data : • Looking at our file system, the most recent date of the Balenciaga file present on our system indicates April 23rd : –rw-rw-r– 1 $ user 4.7G Apr 23 01:52 balenciaga.txt • The CreatedDate field indicates the creation date of each customer record; it is therefore normal that the most recent is 2024-05-21. This does not mean that the information is outdated: most of these customers are still active and their personal data (name, e-mail, phone, address, purchase history) have not changed. • Why it remains critical : – Personal data (name, e-mail, telephone, address, purchase history) have almost never changed since 2024; they are therefore still valid for identity theft, targeted phishing and GDPR sanctions. – The regulators do not look at the age of the field: they sanction the leakage of identifying data, period.
[10:05:46] shinycorp: This information is enough to engage your GDPR responsibility and expose your customers to a risk of identity theft. Once this verification has been done, we are waiting for the agreed test transfer in order to move forward.
On June 25, the French announced the June 23 arrest of four members of ShinyHunters, described as the main administrators of BreachForums, plus the earlier arrest of IntelBroker. One of those arrested was described as the person known as ShinyHunters (the leader of the group). That same day, as seen below, Balenciaga rescinds its intention to pay what it agreed to pay:
June 25, 2025:
[04:26:06] User: I just learned that the transaction had been refused at the last moment by the director, on his return from vacation without the latter notifying me
User: He considered that the amount was too high.
[…]
June 26, 2025:
[07:42:12] User: I am instructed to inform you that the management refuses to pay the ransom at the set price. If you want to earn money, I invite you to make another offer
[07:42:40] shinycorp: Hello
[07:43:58] shinycorp: We thought you ignored us. We have just sent you another e-mail, we apologize for this. We are always interested in negotiation. What do you think of 650,000 euros? Let’s settle this once and for all, please.
[07:45:39] User: The director who took over the case is more stressed than the previous one. That‘s the reason why, it takes longer to give us a feedback.
[07:45:49] User: I am transmitting the information
[07:46:55] shinycorp: Okay, we strongly assure you that once we come to an agreement, all this will disappear. [07:51:03] shinycorp: It would be better if you let us know what you are willing to pay, so that we can negotiate an agreement acceptable to both parties. Once again, please understand that it is in all of our best interests to settle this matter amicably, otherwise you risk having to pay millions in fines, GDPR violations and class action lawsuits. We can definitely agree on a price.
June 27, 2025:
[02:44:48] User: Hello, we are offering you 200K€
[02:45:35] shinycorp: Hello
[02:46:44] shinycorp: That price is totally unacceptable. at least 500,000 euros. As we have already said, otherwise you would risk paying millions in fines.
[…]
[02:58:29] User: My hierarchy believes that our main risk is to suffer another attack
[03:16:43] shinycorp: No. You don’t understand how our reputation works. We do not need to disclose anything in any way. As you mentioned earlier, this is the first time you have experienced such a situation, which we can understand. We can assure you that you will not suffer another attack from us. We are not dishonest people, we are fair and understanding. That‘s our job. Please avoid explaining to us how our reputation works.
[…]
[03:21:08] User: I inform my hierarchy that you will not give in less than 500K€
[…]
June 28, 2025:
[08:37:51] shinycorp: Hello, do you have any news? We hope that this situation can be resolved as soon as possible.
June 30, 2025:
[02:13:55] shinycorp: Hello, if you try to ignore us, know that you will highly regret it.
July 1, 2025:
[04:08:37] User: We don’t ignore you
[04:10:34] User: But the hierarchy is fearful but finally decided to proceed with the ransom payment
[04:11:05] User: At the price you wanted: 500 k€
[04:12:51] shinycorp: Hello, we are glad to hear that. We accept.
[04:13:22] User: The steps are underway, we are waiting for the last signatures
[04:15:25] shinycorp: Okay
July 2, 2025:
[04:52:26] shinycorp: Hello, any news?
[05:15:39] User: Hello, we are waiting for confirmation of the opening of an account in crypto-assets.
[…]
[10:55:07] User: I just found out that we can proceed with the payment tomorrow.
[10:55:13] User: Thank you for your patience
July 3, 2025:
[05:15:38] shinycorp: Okay
July 4, 2025:
[03:09:08] shinycorp: Hello, you promised us a payment yesterday, but we haven’t received anything. any news? [04:23:45] User: Hello
[04:24:05] User: we had a delay for the creation of the account
[04:24:09] User: https://blockstream.info/tx/[redacted by DataBreaches.net]
[04:24:18] User: attached is the proof of the test payment
[04:24:24] User: I invite you to check
[04:52:42] shinycorp: Received
[06:17:52] shinycorp: Please broadcast the transaction.
[07:45:06] User: file:///C:/Users/X/Desktop/blockstream.htm
[07:46:28] User: https://blockstream.info/tx/[redacted by DataBreaches.net]
[07:46:39] User: I’m resending the link to you
[07:58:01] shinycorp: Please continue with the rest of the funds.
[08:16:55] shinycorp: Will the rest of the funds be sent today? We really hope that this case will be resolved today. Once the full payment is received, we will provide what we promised within two hours. This has already gone on for far too long.
[08:19:46] User: I don‘t know but I think so
[08:20:17] shinycorp: Please finalize that. We have a question: are you a representative of Kering or Balenciaga?
July 13, 2024:
[07:15:11] shinycorp: This is your last warning before we disclose your data. Answer us, you have 72 hours. Let’s settle this once and for all, otherwise we will publicly humiliate you and contact our media contacts about this incident.
July 21, 2024:
[08:52:46] User: Hello,
[08:53:10] User: I don’t understand your threats, the payment order has been made for a while
[08:53:28] User: I was just waiting for a feedback from you on this
[14:07:05] shinycorp: Why are you lying to us? You have only sent a test payment of 0.00045 BTC to:
You never sent us the full amount as we agreed. You are very lucky that we have not disclosed the data yet. If you paid us as you say, did you want proof of the deletion of the data that we never sent? So how can you say that you have paid us the full amount when you obviously haven‘t and that we still have your data? You say you‘ve been waiting to hear from us, but the last time we spoke to you was on July 4th, and we haven’t heard from you since. In fact, you haven’t even informed us about sending the full payment. You have only informed us of the test payment that has been sent to us, which we have confirmed. Why are you lying???
[14:07:05] shinycorp: We asked you if you were going to finalize the full payment the same day the test payment was sent, you told us that you didn’t know. We have never received a test payment. You are lying and we are very angry. You have been testing our patience for a very long time and we are just a stone’s throw away from disclosing the data and contacting our media contacts to let them know about all this communication. Stop telling us nonsense and pay us NOW. Pay us at the same Bitcoin address here:
July 22, 2025:
[08:04:09] User: Have you received our funds?
[08:04:52] shinycorp: We said no.
[08:05:15] shinycorp: We only received the test payment, we never received the full payment.
[08:05:28] shinycorp: Please read what we said above.
[08:10:21] shinycorp: We’re tired of you wasting our time. Can you tell us if you intend to pay us the amount you promised (500,000 euros) or if you do not intend to pay us and that we can take the measures that we have announced. We may disclose the data, contact the media and the press about this situation, etc. Let us know, please, so that we can stop wasting our time.
[08:30:47] User: Being on vacation, for the last few weeks, I thought the case was settled. I am as upset as you are to learn that the payment has not been made to the extent that I too am wasting my time. At the moment, I don’t have any information about the reason but I will check with the financial department who is not doing their job.
[08:32:05] shinycorp: We need confirmation that you are going to pay us or not. We no longer have any reason to be nice to you or to be patient with you.
[08:33:21] User: That‘s the reason I‘m checking with the financial department
[08:34:15] shinycorp: I hope we can solve this problem once and for all.
[08:49:52] shinycorp: When will we hear from you? We would appreciate it if this issue were addressed urgently and as a matter of priority.
July 25, 2025:
[08:18:16] shinycorp: It’s been three days since we spoke, do you intend to solve this problem and pay us or not? [13:48:59] shinycorp: Since this information is now public : We are responsible for the attacks on LVMH and its subsidiaries. Notably Dior, Louis Vuitton, among others. If you search for “LVMH ShinyHunters” or “Dior ShinyHunters” on Google, you will see. We tell you this only to reassure you: if you pay us, we will not disclose your data and you will be able to continue fulfilling your disclosure obligations without interference from us. But if you don’t pay us, we promise that we will make your life impossible. All our conversations with you WILL be transmitted to the press and publicly disclosed online so that the whole world can read them, as well as all the data.
July 30, 2025:
[15:47:28] User: It is indicated in the press that the Shinyhunters group has been arrested by the police.
[15:48:26] User: we’re willing to pay the shinyhunter group given their reputation. But there is no guarantee that you are a member of the group
[15:49:01] User: This is the reason why our company is finally hesitant to proceed with the payment
[15:49:31] User: I couldn’t find any way to guarantee your identity
[16:03:43] shinycorp: Hello
[16:05:49] shinycorp: We haven’t been arrested, we can verify our identity using our ShinyHunters PGP key. The French law enforcement agencies have once again failed to arrest the wrong people. We are always in possession of all your data. We can send you a new sample of 10,000 recordings.
[16:13:27] shinycorp: This is the same qTox account ID that we (the ShinyHunters Group) use to communicate and negotiate with other companies. You are talking to the real ShinyHunters group. We have not been arrested, we can verify our identity through PGP verification. Our public PGP key is listed here : PGP: https://pastebin.com/raw/qUp9Ax9M Our group remains active, as you can see by reading the recent BleepingComputer article : “While Allianz Life declined to answer questions about the threat actor and whether they were being extorted, BleepingComputer has learned that the attack is believed to have been conducted by the ShinyHunters extortion group.” Let’s not delay any longer, please.
[16:21:52] shinycorp: This settlement should have been settled several weeks ago, let’s not delay any longer, please. Here is the PGP verification of our identity :
July 31, 2025:
[05:09:47] shinycorp: We don’t appreciate this delaying attitude you’re taking. If you are not serious in your desire to resolve this situation amicably and pay us, why do you keep coming back? It is clear that our ShinyHunters group is still active, since articles about us are published every week : https://www.bleepingcomputer.com/news/security/shinyhunters-behind-salesforce-data-theft-attacks-at-qantas-allianz-life-and-lvmh/ We have data from Balenciaga, Alexander McQueen, Brioni and Gucci. If you keep making us wait, we will have no choice but to increase the ransom amount or start disclosing all this data and inform our media contacts about it.
August 5, 2025:
[09:51:19] User: We are not taking any dilatory measures. It is normal that for € 500K we carry out security measures.
[09:52:32] User: We checked your PGP but we found no way to make sure that you didn’t steal the PGP key. [14:04:51] shinycorp: Hello
[14:08:53] shinycorp: You put more than a month for 500,000 dollars, it’s not There is no way that we have stolen the PGP key. You think that the French police arrested the real ShinyHunters, but that’s not true. It is already beginning to be common knowledge that the police have arrested an affiliate instead of the leader : https://databreaches.net/2025/08/03/are-scattered-spider-and-shinyhunters-one-group-or-two-and-who-did-france-arrest/ We told you that in addition to PGP, we have all your data. If we weren’t the real ShinyHunters, we wouldn’t have your data.
[14:48:17] shinycorp: Here is the signed PGP message, we signed it when you sent us a message last week. We can sign a new message right now at your request. We have your data, Balenciaga, AlexanderMcQueen, Gucci and Brioni. Let’s put an end to all this and move on. It’s very simple. If this cannot be resolved, you must inform us immediately, then we will proceed to the disclosure of your data, our communications to the press, and then to the whole world. Thanks.
https://limewire.com/d/h2d1D#RqHue7kVRG
August 13, 2025:
[09:04:25] User: We are still waiting for a hierarchical decision because the decision or not of a payment will finally be taken by the highest authorities.
[09:05:09] User: As I told you before, there is still a great doubt about your identity insofar as there is no guarantee that you did not steal the PGP key
August 16, 2025:
[13:32:00] shinycorp: We are still waiting for your decision. We have already told you that we are the same people. The French authorities are lying to you by claiming to have arrested ShinyHunters. We are still alive and active. Please search our name on Google to read recent articles about us. We are refraining from disclosing your data for the moment, but if you delay too long, we will disclose it and put an end to this case. We will also disclose all the conversations we have had with you to our media.
August 18, 2025:
[12:53:28] shinycorp: Let’s settle this once and for all.
shinycorp: We have shown incredible patience towards you and the only reason why we have not disclosed your Gucci, Balenciaga, Brioni and AlexanderMcQueen databases is because we believe that you will pay the 500,000 euros as agreed and put an end to this case. There is no reason why you should take so much time. We have sent you another message signed PGP and have provided you with other samples of the data. We are the same people you have been communicating with since day one. The French authorities got the wrong person. Even the media say so. Are you really going to entrust your business to law enforcement? They are incompetent and do not know how to handle this situation.
So… did French law enforcement mislead Balenciaga into thinking that ShinyHunters had been arrested and, therefore, “shinycorp” was a fake? Or perhaps Balenciaga just used the arrest claims as an excuse to protract negotiations and an excuse not to pay?
Balenciaga’s message on August 13 was their last post. Now it’s your turn. What do you think? Was Balenciaga just stringing ShinyHunters along the whole time, or did they really have a change of heart about paying? Do you think they were influenced by statements by French law enforcement or just using those statements as an excuse? Use the Comments section below this post to tell us your take on the negotiations.
Who Has Been Notified?
DataBreaches was unable to find any press release or notification from Kering or its brands about these breaches. Because Kering did not respond to emailed inquiries about the breaches, there is still much we do not know.
Have the retailers or Kering notified any regulators in France or other countries? We do not know.
Have the retailers or Kering notified any consumers about the breaches? We do not know.
DataBreaches emailed a small sample of U.S. customers of the breaches to ask whether they had received any notification of the breach(es). Some of the email inquiries bounced back, which is not surprising given that some of the email addresses were from 2017. Other email inquiries did not bounce back, and DataBreaches will update this post if any replies are received.
What Should Customers Do?
As of this publication, the data from the two breaches has not been leaked publicly or sold. DataBreaches asked ShinyHunters what their intentions are with respect to the data, and received a “likely leak it” response.
The stored data that DataBreaches viewed doesn’t present particularly significant challenges for U.S. customers in terms of identity theft risks because it does not contain any Social Security numbers or payment card information. Whether identifiers provided for customers of other nationalities might be problematic for those individuals is unknown to DataBreaches. But once these breaches make headlines, as they almost certainly will because they are high-end retailers, then anyone who might have been a customer should remain alert that scammers may try to contact them posing as the store or customer service following up on the breach or they may receive emails about the breach with links that might result in your browser being infected with malware.
As always, do not give out personal information on the phone or via text or email to strangers. If you have doubts, search Google for the phone number or contact information for the retailer and use that number to contact them with your questions or concerns.
If anyone receives a notification email or letter from Kering or one of the affected brands, please email a copy to info@databreaches[.]net.
Update: ShinyHunters and others have announced they are going dark.
Update and Clarification: On September 15, DataBreaches published a follow-up to this post that addressed some of the questions raised. But many questions and claims remain unaddressed. In a case of a “he said vs. they said” conflict, it is important to be clear about what we can actually confirm, especially since the chat logs in this post were provided to DataBreaches in text format.
Can we prove the negotiations ever happened? No. The chat logs could have been totally fabricated and constructed to use a bitcoin deposit that might have absolutely nothing to do with Kering. Kering may have appeared to be lying, but they may have been telling the absolute truth.
Do entities ever lie? Sure. Do criminals ever lie? Heck, yes.
If the negotiations ever really happened, can we be sure that they were conducted by the individual known as ShinyHunters as claimed in the material given to this site? No.
If the negotiations ever really happened, can we be sure that they occurred on the dates and times provided in the material given to this site? No. They could have been altered or fabricated totally.
Reporting on claims by threat actors is fraught with difficulty, which is why it is even more important for entities to be transparent and answer questions.
LONG LIVE SHINYHUNTERS SCATTERED SPIDER THE ONE AND ONLY LEGENDS!!!!!