ShinyHunters Claim Santander Bank Breach Affecting 30 Million Customers and Employees

By Lore Apostol / June 3, 2024

ShinyHunters allegedly stole Santander information that includes 28 million credit card numbers, 6 million account numbers and balances, and staff HR details, as researchers from Dark Web Informer found the infamous hacking group selling the database on the Dark Web for $2 million after the bank announced the breach two weeks ago. In the post, the attackers also say, “Santander is also very welcome if they want to buy this data.”

Santander Breach Dark Web Post
Image Credits: Dark Web Informer

The bank, which employs 200,000 people worldwide, recently issued a breach notification letter saying a supply chain attack left a database with sensitive customer details exposed to an unauthorized third party. The banking giant later discovered the only ones affected were Santander’s banks in Chile, Spain, and Uruguay.

"Following an investigation, we have now confirmed that certain information relating to customers of Santander Chile, Spain, and Uruguay, as well as all current and some former Santander employees of the group, had been accessed," the statement said. "No transactional data, nor any credentials that would allow transactions to take place on accounts are contained in the database, including online banking details and passwords."

In a now-deleted post, cybersecurity firm Hudson Rock reported that a threat actor may have used the stolen credentials of a single employee of the cloud storage firm Snowflake for this breach and one affecting 560 million Ticketmaster accounts (publicly acknowledged on Friday). These credentials may have been used to bypass the authentication service Okta and then generated session tokens to obtain data from Snowflake, possibly gaining access to several other Snowflake customers, such as AT&T, HP, Instacart, DoorDash, NBCUniversal, and Mastercard – but Snowflake denies the claim.

The ShinyHunters group has previously sold data confirmed to have been stolen from US telecoms firm AT&T, and the names, addresses, phone numbers, and partial payment details of 560 million Ticketmaster customers are still in the open, as the group asks for a $500,000 ransom payment from Ticketmaster to refrain from selling the data trove on the Dark Web.

It’s also important to note open-source intelligence researcher CyberKnow said the Ticketmaster leak contains "some questionable aspects" and it could be a PR stunt for what appears to be the rebooted forum. 

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: