10/8/25, 3:31 PM                     Shiny Hunters group reportedly extorting Red Hat after stealing data | SC Media
        “Reports that ShinyHunters has joined the extortion push point to a shift from pure theft to pressure-
        based monetization and suggest collaboration or affiliate overlap with the original operators since their
        social engineering and malicious OAuth expertise can amplify follow-on access and help convert stolen

        data into leverage,” explained Soroko. "Security teams should assume any secret shared with Red Hat
        Consulting or present in internal repos is burned and act immediately.”



        Soroko said teams should take the following steps;



           Rotate every API token service account key, SSH key database password, and signing key that could
        have touched those workflows and re-enroll developer access with hardware backed MFA.
           Launch continuous secrets scanning across all repositories, including docs and CERs and block any

        commit that contains credentials while invalidating stale OAuth grants and rebuilding from known
        good images and infrastructure as code.
           Reduce blast radius with short lived credentials least privilege scoped vault issued tokens and OIDC

        based workload identity and turn on detections for mass git clones unusual API reads new OAuth app
        consents and privilege spikes, backed by just in time admin and conditional access.

           Prepare for extortion by staging customer and regulator notifications standing up takedown and
        negotiation playbooks planting canary credentials to spot misuse and monitoring leak sites and
        marketplaces while coordinating rotation plans and attestations with affected partners.
















































      https://www.scworld.com/news/shiny-hunters-group-reportedly-extorting-red-hat-after-stealing-data             3/3