Ingram Content Group, Inc. Data Breach

Alleged

Extortion claim involving Ingram Content Group, Inc.

Published: Jul 1, 2026 ShinyHunters
Threat Level
High
Confidence: High

Quick Summary

Alleged
Company
Ingram Content Group, Inc.
Industry
Business Services
Threat Actor
ShinyHunters
Date of Incident
Jul 1, 2026

Executive Summary

Ingram Content Group, Inc., a business services company operating in the United States, has been identified as a victim by the ShinyHunters extortion group. The incident was published on the group’s dark web portal on July 1, 2026, and was detected by SOCRadar’s Dark Web Monitoring service. The company’s sector, Business Services, encompasses distribution, logistics, and content services. This listing places Ingram Content Group among a recent trend of US-based organizations targeted by ShinyHunters. In the 60 days prior to this listing, ShinyHunters claimed 24 other victims, with a notable concentration in the education, healthcare, and business services sectors. Their geographical focus has primarily been on the United States, the United Kingdom, and the Netherlands. Other US-based or business-services companies like BCD Travel, Baker Distributing Company, Fluke Corporation, and IC Security have also been listed by ShinyHunters, aligning with their pattern of targeting service-oriented enterprises.

Technical Analysis

SOCRadar’s analysis of stealer-log telemetry revealed a credential exposure related to the ingramcontent.com domain. This exposure included one corporate credential on a third-party SaaS platform, consistent with endpoint compromise, alongside approximately two dozen external or partner credentials for internal Ingram portals. However, it is crucial to note that ShinyHunters does not consistently rely on infostealer-driven initial access. Their historical tactics involve large-scale credential abuse against SaaS tenants and social-engineering campaigns, rather than solely depending on commodity stealer logs. The identified credential exposure exists in parallel to the leak-site listing and cannot be definitively linked as the cause of this specific incident; infostealer-to-initial-access is not considered the dominant vector for this actor class.