Kodak Data Breach

Kodak acknowledged a security incident on June 17, 2026, saying an “unauthorized third party” briefly accessed a limited amount of company data. According to Kodak, the breach did not pose any ongoing threat to its operations.

Kodak’s statement emphasized that attackers had only temporary access and that specialists are determining exactly which data were “accessed and copied” during the incident. So far, Kodak has not revealed how the hackers got in or whether any customer systems were compromised.

Extortion Threat: 2.2M Records at Risk

The hacking group, ShinyHunters, put up the name of Kodak on their leaking site on the dark web. ShinyHunters stated that they exfiltrated over 2.2 million files containing customers’ personal and other internal corporate data.

A “Pay or Leak” message was issued by the gang with a strict time limit for the company. If Kodak does not reach out to ShinyHunters by 18 June 2026, the data theft will be announced, and “several annoying problems” will arise.

• Data Theft Details: “Over 2.2 million records containing customer PII and other internal corporate data”
• Time Limit to Pay Ransom: Reach out to ShinyHunters by 18 June 2026, otherwise, face data leak and digital problems.
• Threat: ShinyHunters warned about a data leak and “digital problems” for Kodak.

Kodak has not released the details of the leak. There is no evidence for now regarding their claim about the data theft. But it seems quite possible that the gang has breached the firm. In fact, the leaked data page image has the Kodak official site link “kodak.com” with the extortion message dated 16 June 2026.

Who Is ShinyHunters?

Financially motivated cybercrime group ShinyHunters started operating since 2019. The group targets enterprises and cloud environments by stealing valuable data and holding companies to ransom in order to ensure its non-publication.

Some of the major operations carried out by ShinyHunters:

• Campaigns against Salesforce/SaaS platforms (2025): ShinyHunters engaged in voice phishing to have company employees authorize access to their Salesforce account via a malicious app. Through these breaches, ShinyHunters accessed data belonging to numerous corporations amounting to more than one billion records in total. To force the payment of ransom fees, ShinyHunters warned of posting the stolen Salesforce data on their extortion blog.
• Exploitation of Oracle PeopleSoft flaw (May-June 2026): At least 100 organizations became victims of ShinyHunters until an emergency patch became available. This shows ShinyHunters’ preference for exploiting software vulnerabilities of enterprises.
• Most Recent Extortion Campaign: During June 2026, multiple global organizations reported a series of breaches by ShinyHunters. The group claims to have extracted 61 million Salesforce customer records belonging to American food distributor Sysco as well as hundreds of thousands of records of students attending a community college.

The examples above demonstrate that ShinyHunters target organizations from a variety of different sectors including education and consumer goods providers. ShinyHunters mostly target corporations that maintain substantial databases.

ShinyHunters’ Tactics and Trends

The ShinyHunters group tends to exploit vulnerabilities within cloud systems and external vendors, and often attacks cloud applications instead of the on-premises infrastructure. The following are some of their tactics:

• Cloud misconfiguration and SaaS application exploitation: Search for open access through applications such as Salesforce or AWS. ShinyHunters can get unauthorized access when permission is not properly configured or when an administrator portal is exposed.
• Stolen tokens and APIs: Engage in social engineering to steal API and OAuth tokens that enable them to use another application and then access databases or the CRM.
• Vishing: Engage in vishing as IT support to obtain passwords to gain account access without breaching any security measures.
• Zero-day attacks: Utilize the unpatched zero-day exploits such as Oracle PeopleSoft vulnerabilities to enter an organization’s system.
• Exploitation of old vulnerabilities: Combine several vulnerabilities of a previous time to exploit identity and SSO solutions.

Kodak has yet to identify any specific indicators such as IP address ranges, malware, etc. However, the history of such attacks shows that ShinyHunters generally use cloud C&Cs, and may also execute custom scripts on the victim’s computer. As was found in the case of Oracle, a cluster of IP addresses was associated with commands.

By adding Kodak to its leaking website, ShinyHunters is continuing the trend of making public threats of extortion. Kodak becomes another example of how hackers combine their technical and non-technical methods to extort victims.

Conclusion: When Data Theft Becomes Public Pressure

The Kodak breach shows how modern extortion campaigns turn temporary access into long-term business pressure. Kodak says an unauthorized third party briefly accessed a limited amount of company data, while ShinyHunters claims more than 2.2 million records were stolen, including customer PII and internal corporate data.

Whether the final confirmed volume is smaller or larger, the security lesson is clear. Once attackers can access sensitive data, the breach is no longer only technical. It becomes reputational, legal, operational, and public.

Why This Threat Matters

ShinyHunters does not rely on one attack method. The group has repeatedly abused cloud applications, stolen tokens, SaaS access, exposed systems, social engineering, and enterprise vulnerabilities to reach high-value data.

• Temporary access can still lead to copied records
• Customer PII creates fraud, phishing, and identity risk
• Internal corporate data can expose business operations
• Leak-site pressure forces victims into public response mode
• Cloud, SaaS, and identity weaknesses can bypass traditional perimeter defenses

For enterprises, the question is no longer only “Was data encrypted?” or “Was malware detected?” The real question is whether access, execution, and data movement were governed before the attacker created impact.

Where Xcitium Changes the Outcome

Xcitium helps organizations reduce the paths groups like ShinyHunters commonly abuse.

Xcitium ITDR strengthens the identity layer by helping detect risky access, abnormal user behavior, suspicious sessions, and unauthorized movement across cloud and business systems.

Xcitium Vulnerability Assessment helps expose weak configurations, vulnerable services, and patch gaps before attackers turn them into entry points.

And when attackers attempt to run unknown tools, scripts, or payloads inside the environment, Xcitium Advanced EDR, powered by Xcitium’s patented Zero-Dwell platform, applies Execution Governance.

Unknown code does not receive unrestricted execution rights.
Code can run without being able to cause damage.
Runtime control is enforced before trust exists.
Security teams gain proof of what unknown execution could not do.

With Xcitium in place, common breach paths lose their ability to turn access into uncontrolled impact.

Extortion Starts Where Control Ends

The Kodak incident is a reminder that attackers do not need to destroy systems to create pressure. Access to sensitive records is enough. A leak-site deadline is enough. A credible data theft claim is enough.

Detection explains what may have happened.
Execution Governance proves what unknown activity could not do.

Secure identity.
Find exposure early.
Govern execution before trust.

Choose Xcitium to reduce breach paths, protect sensitive data, and prove control before attackers turn access into extortion.