Kodak Confirms ShinyHunters Breach, 2.2M Records

Kodak, the camera and imaging company that survived bankruptcy in 2013 to reinvent itself as a commercial printing and materials science firm, is now contending with a data breach claim from ShinyHunters — the extortion group responsible for some of the most significant corporate data thefts of 2025 and 2026. On June 15, ShinyHunters listed Kodak on its dark web site, claiming 2.2 million records of customer personally identifiable information and internal corporate data stolen from Kodak's systems. Three days later, Kodak confirmed the breach. The company's statement acknowledged "unauthorized third party" access but characterized the exposure as "a limited amount of company data" — language that stands in notable contrast to a claim of 2.2 million records.

Key Takeaways

• ShinyHunters listed Kodak on its extortion site on June 15, 2026, claiming 2.2 million customer PII records and internal corporate data were stolen.
• Kodak confirmed the breach on June 18 — the day ShinyHunters' deadline passed — but did not disclose which categories of customer data were accessed or how many customers were affected.
• ShinyHunters released no proof samples for the Kodak breach, consistent with the group's tactic of using the deadline itself as leverage rather than publishing evidence.
• In 2026 alone, ShinyHunters has claimed major breaches at Charter Communications (42 million alleged records), Oracle PeopleSoft (100+ companies), Instructure Canvas (9,000+ educational institutions), and now Kodak.
• Customers who have purchased Kodak products or services — including Kodak Moments photo printing customers — should assume their account data may have been among the records exposed until Kodak provides a more specific disclosure.

The ShinyHunters Playbook

ShinyHunters operates as a ransomware and extortion group that has refined a particular methodology: list the victim on a public dark web site, set a short deadline (typically 72 hours to one week), demand payment for data deletion, and threaten to publish or sell the stolen data if the deadline passes without engagement. The group deliberately withholds proof samples before the deadline — the listing itself, accompanied by the threat, is designed to generate enough uncertainty that victims or their cyber insurers consider paying even without verified evidence of the full breach scope.

The Kodak breach follows this template precisely. ShinyHunters published the listing on June 15, set a June 18 deadline, and released no verifiable sample data. Kodak confirmed the breach on June 18 but did not acknowledge the 2.2 million figure, leaving customers and security researchers unable to independently assess the severity. This information asymmetry — the attacker claims scale, the victim acknowledges something happened while minimizing scope — is a known feature of how major breach disclosures unfold, not a reliable indicator of either party's accuracy.

What Kodak Said

Kodak's official statement confirmed that the company "recently discovered that an unauthorized third party illegally gained temporary access to a limited amount of company data." The company said it engaged external cybersecurity experts to investigate what was accessed and copied, and stated it is working with law enforcement. The statement did not specify:

• What categories of customer or employee data were involved
• How many individuals are affected
• When the breach occurred or how the attacker gained access
• Whether any data has been published or sold since the deadline passed
• Whether affected customers will receive individual notification

This level of disclosure is consistent with how companies handle extortion breach disclosures in the first days — enough to acknowledge the event without admitting to scope that could affect ongoing law enforcement investigations or legal liability assessments. It does not resolve whether 2.2 million records were taken or a fraction of that number.

Who Was Affected?

Kodak operates several distinct customer databases depending on which part of its business a customer engaged with:

• Kodak Moments — the consumer photo printing service, which collects names, email addresses, mailing addresses, and payment information for customers ordering prints, photo books, and gifts
• Kodak Alaris — the document scanning and imaging business serving enterprise customers, which would hold business contact and account data
• Kodak commercial printing customers — companies using Kodak's commercial printing equipment and consumables, holding business account and purchasing data
• Employee records — Kodak employs several thousand people across its manufacturing and commercial operations globally

Without a more specific disclosure from Kodak about which systems were accessed, any Kodak customer from any of these lines of business should treat their account data as potentially compromised. The 2.2 million record claim, if accurate, would represent a significant fraction of Kodak's total customer base across its consumer and enterprise products.

ShinyHunters' 2026 Enterprise Campaign

The Kodak breach is one of dozens ShinyHunters has claimed in 2026. The group's activity this year has focused heavily on enterprise SaaS platforms — particularly Salesforce integrations — allowing it to extract customer data from dozens of organizations through a single compromised connection rather than attacking each company individually. Victims in 2026 have included Charter Communications (42 million alleged records via Salesforce), Council of Europe (15 years of payroll records), Oracle PeopleSoft customers across more than 100 organizations, Pitney Bowes, Canada Life, 7-Eleven franchisee data, and now Kodak.

The diversity of victims is part of the pattern. ShinyHunters does not appear to target companies for their specific data value so much as for their breach-ability — the ease with which a third-party integration, exposed credential, or unpatched enterprise system can be leveraged to extract a large number of records that are then monetizable either through extortion or sale on data markets. For security teams, this underscores that breach risk is not just about the strength of a company's own perimeter but about the security posture of every SaaS vendor and integration that touches its customer data.

What Kodak Customers Should Do

Until Kodak provides a more specific disclosure, affected customers — anyone who has used Kodak Moments, ordered from Kodak's commercial or enterprise services, or created an account with any Kodak product — should take precautionary steps:

• Change any password used for a Kodak account, particularly if that password is reused elsewhere
• Enable multi-factor authentication on any account that accepted a Kodak-associated email address for registration or login
• Be alert to phishing emails that reference Kodak products, purchases, or your account — breach data routinely feeds targeted phishing campaigns against the affected company's customers
• Monitor payment cards used with Kodak services for unauthorized charges
• Check haveibeenpwned.com once ShinyHunters' data is verified and ingested — if data publication occurs, it typically appears in breach notification databases within weeks

Sources: BleepingComputer: Kodak Confirms Data Breach Claimed by ShinyHunters | Cybernews: ShinyHunters Claims Kodak Hack | Malwarebytes: Kodak Confirms Breach as Deadline Passes.