The cybercrime group ShinyHunters has added several major companies, including Zara, Carnival, and 7-Eleven, to its data leak site as part of an ongoing extortion campaign targeting organisations through a “pay or leak” model.
According to reporting, the group warned that data linked to multiple companies could be published if ransom demands are not met. The campaign follows a pattern in which victims are listed publicly alongside deadlines for payment, after which data is released or offered for sale.
The latest activity includes claims that more than 9 million records may be at risk across the affected organisations. These figures have not been independently verified, and no detailed breakdown of the alleged datasets has been publicly confirmed.
Zara’s parent company, Inditex, confirmed that a security incident had occurred but stated that it was linked to a third-party service provider rather than its internal systems. The company said the exposed information relates to business operations and does not include customer data such as names, contact details, or payment information.
At the same time, ShinyHunters has listed Zara on its leak site, stating that it intends to release data within days if conditions are not met. The claims have not been independently verified, and the extent of any exposure remains under review.
Carnival and 7-Eleven have also been named in the same campaign, although no official statements confirming breaches from those companies were identified in available reporting. The scope of any potential incidents affecting those organisations has not been publicly detailed.
ShinyHunters is known for targeting cloud services and software platforms to obtain corporate data, often using compromised credentials or access tokens rather than exploiting direct vulnerabilities. Once access is gained, the group extracts datasets and uses them in extortion attempts.
The group’s activity is part of a broader series of incidents in 2026 involving multiple organisations across sectors, including retail, travel, and technology. In many cases, the attacks have involved third-party systems or external service providers rather than direct intrusions into company infrastructure.
No technical details about how access was obtained in the latest cases have been publicly disclosed. Investigations into the claims and verification of any exposed data are ongoing.