A hacking group has started to flood a dark web hacking marketplace with databases containing a combined total of 73.2 million user records over 11 different companies. For the past week, a hacking group known as Shiny Hunters has been busy selling a steady stream of user databases from alleged data breaches. It started last weekend with Tokopedia, Indonesia’s largest online store, where a database of over 90 million user records was being sold.

Soon after, Shiny Hunters began selling a database of 22 million user records for Unacademy, one of India’s largest online learning platforms. After being contacted by BleepingComputer, the company released a statement that their company was breached.

On Wednesday, Shiny Hunters continued their rampage by claiming to hack into Microsoft’s GitHub account earlier this year and leaking files from the company’s private source code repositories.

While Microsoft has not officially admitted that their GitHub account was breached, sources have told BleepingComputer that the shared data was indeed private repositories only accessible to Microsoft employees.

Now selling user records from 11 data breaches

Earlier this week, BleepingComputer was told by cyber intelligence firm ZeroFox that Shiny Hunters had begun selling databases for the meal kit delivery service HomeChef, photo print service ChatBooks, and Chronicle.com, a news source for higher education. With the three databases combined, there are a total of 26 million accounts being sold with initial prices for each database ranging between $1,500 and $2,500. Some of the prices have changed since then (e.g. for the ChatBooks records, the initial offer increased to $3,500).

Soon after reporting on these breaches, ChatBooks started sending data breach notifications to their users. Last night, cyber intelligence firm Cyble told BleepingComputer that Shiny Hunters had started to “flood the market” with new data breaches from other companies, bringing the total amount of user databases being sold to 11.

From samples of user records seen by BleepingComputer, the data breaches look legitimate, but they have not been 100% confirmed. After being told about the new databases being sold, BleepingComputer had contacted the affected companies but has not heard back yet.

To be safe, if you have an account at any of the sites listed above, it is strongly suggested that you change your password to a strong and unique one used only at that site. If the same password has been used at other sites, change your password to a unique one there as well.