ZenBusiness data breach: ShinyHunters sets March 30 deadline

Kavitha Nair
By
Kavitha Nair
Tech writer at All Things Geek. Covers the business and industry of technology.
9 Min Read
ZenBusiness data breach: ShinyHunters sets March 30 deadline

The ZenBusiness data breach represents the latest escalation in ShinyHunters’ extortion campaign, with the hacking group claiming to have stolen several terabytes of sensitive data from the US-based business formation service and setting a March 30, 2026 deadline for payment. The threat arrives as the same group continues targeting hundreds of companies through compromised Salesforce environments, signaling a shift toward more aggressive ransom tactics across the SaaS ecosystem.

Key Takeaways

  • ShinyHunters claims several terabytes of ZenBusiness data were exfiltrated from Snowflake, Mixpanel, Salesforce, and other platforms
  • Hackers issued a “final warning” with a March 30, 2026 deadline, threatening to leak data unless ransom is paid
  • ZenBusiness, backed by investor Mark Cuban, has not publicly confirmed the breach or responded to extortion demands
  • ShinyHunters recently breached Crunchbase (2 million records) and is linked to 300-400 Salesforce customer compromises since September 2025
  • The group has been active since 2020, using compromised credentials, cloud service misconfigurations, and social engineering

What the ZenBusiness Data Breach Reveals About Cloud Security Gaps

The ZenBusiness data breach exposes a critical vulnerability in how businesses secure data across multiple cloud platforms. ShinyHunters claims to have accessed internal company information, customer data, and employee records through compromised Snowflake, Mixpanel, Salesforce, and other cloud services. This is not an isolated incident—the same group has been systematically exploiting overly permissive configurations in Salesforce Experience Cloud since September 2025, targeting an estimated 300-400 companies including cybersecurity firms, enterprise software makers, and financial services providers. The breadth of targets suggests that cloud misconfigurations are now the primary attack vector for organized extortion groups, and most organizations have not yet implemented adequate access controls.

What distinguishes this breach is the scale of data allegedly taken. Several terabytes is substantial enough to contain years of operational records, customer communications, financial data, and proprietary business information. For a company like ZenBusiness that handles sensitive incorporation documents, tax filings, and compliance records for thousands of small businesses, a leak of this magnitude could expose customer data to secondary attacks, regulatory violations, and identity theft.

ShinyHunters’ Escalating Extortion Playbook

ShinyHunters issued what they call a “final warning” to ZenBusiness, demanding contact by March 30, 2026, with the message: “This is a final warning to reach out by 30 Mar 2026 before we leak along with several annoying (digital) problems that’ll come your way. Make the right decision, don’t be the next headline”. This language mirrors the group’s previous extortion attempts but signals a shift toward more aggressive pressure tactics. The deadline creates artificial urgency and is designed to force a decision before the target can coordinate a full incident response or law enforcement intervention.

ShinyHunters has been active since 2020 and operates on a straightforward financial model: steal data, demand ransom, leak if payment is refused. The group’s recent activity shows increasing confidence. In early 2026, they successfully exfiltrated 2 million records from Crunchbase, and the company confirmed the breach while noting that “no business operations have been disrupted”. Crunchbase’s measured response—engaging cybersecurity experts and contacting federal law enforcement—represents the playbook most targeted organizations now follow, yet it has not deterred ShinyHunters from continuing similar attacks against other targets.

Why ZenBusiness Is a High-Value Target

ZenBusiness operates in a sector where data is inherently sensitive. The platform helps entrepreneurs file business formation documents, handle compliance filings, and manage tax obligations. A successful breach gives attackers access to customer identity information, business structures, financial details, and correspondence with company founders and their advisors. For a hacking group focused on extortion, this data is more valuable than technical credentials alone because it affects both the company and its customer base, multiplying the pressure to pay.

The involvement of Mark Cuban as a backer adds another dimension to the breach’s significance. While Cuban’s investment does not change the technical severity of the incident, it raises the profile of the company and may accelerate both the incident response timeline and media attention. High-profile breaches tend to trigger faster law enforcement involvement and more aggressive defense strategies, which may be why ShinyHunters set a firm deadline rather than allowing negotiations to drag on indefinitely.

The Broader Salesforce Campaign Context

The ZenBusiness breach does not exist in isolation. Security researchers have documented a sustained campaign in which ShinyHunters and related threat actors exploit Salesforce Experience Cloud guest user misconfigurations to gain initial access to corporate networks. The attackers use an open-source tool called AuraInspector to automate vulnerability scanning across Salesforce environments, identifying organizations with overly permissive guest access controls. Once inside, they move laterally to other cloud services—Snowflake, Mixpanel, and others—to exfiltrate bulk data. This multi-cloud attack pattern suggests that organizations relying on Salesforce as a central platform must assume they are also responsible for securing downstream integrations and data flows to other SaaS tools.

Has ZenBusiness Publicly Responded?

As of the time these reports emerged, ZenBusiness had not publicly confirmed the breach or issued a statement addressing the extortion threat. This silence is notable because it suggests either that the company is still assessing the scope of the incident or that it is attempting to handle the matter through law enforcement and private negotiation channels without drawing public attention. However, silence also gives ShinyHunters more room to amplify their claims and maintain pressure.

What Organizations Should Do Now

The ZenBusiness data breach and the broader ShinyHunters campaign underscore three urgent priorities for any organization using cloud platforms. First, audit guest access controls in Salesforce and other SaaS applications—overly permissive configurations are the primary entry point for these attacks. Second, implement data loss prevention (DLP) tools and monitor for unusual bulk exports from Snowflake, Mixpanel, and similar data repositories. Third, assume that if you use Salesforce, you may already be a target, and ensure incident response plans are current and tested. Waiting for a “final warning” is too late.

Is the ZenBusiness data breach confirmed?

The breach has not been independently verified. ShinyHunters claims to have stolen several terabytes from ZenBusiness, but the company has not publicly confirmed the incident or provided details about the scope. No data samples have been leaked publicly yet, so the authenticity of the threat remains unconfirmed.

What platforms were compromised in the ZenBusiness breach?

ShinyHunters claims data was exfiltrated from Snowflake, Mixpanel, Salesforce, and other platforms used by ZenBusiness. The exact scope of which platforms were accessed and what data was extracted has not been independently verified.

How does this breach relate to the broader Salesforce attacks?

ShinyHunters is linked to a sustained campaign targeting 300-400 Salesforce customers through Experience Cloud misconfigurations since September 2025. The ZenBusiness incident appears to follow the same pattern: initial access via Salesforce, lateral movement to data repositories like Snowflake and Mixpanel, and bulk exfiltration for extortion purposes.

The ZenBusiness data breach is a reminder that cloud security is only as strong as the weakest link in an organization’s SaaS ecosystem. ShinyHunters has proven they can exploit misconfigurations in widely used platforms, move laterally across connected services, and extract massive volumes of sensitive data. The March 30, 2026 deadline they set is a pressure tactic, but the underlying threat—that terabytes of business and customer data are at risk—is real. Organizations cannot wait for public confirmation or law enforcement action. The time to audit cloud access controls and implement detection systems is now.

Edited by the All Things Geek team.

Source: TechRadar

Share This Article
Tech writer at All Things Geek. Covers the business and industry of technology.