Kodak Data Breach: Photography's Biggest Name Lost 2.2 Million Records (2026)
Kodak confirmed on June 17, 2026 that hackers stole what could be 2.2 million customer records. The attacker is ShinyHunters, the same group behind the Canvas breach (275 million users) and the 2024 Ticketmaster hack (560 million records). Kodak says the breach was"limited in scope" and contained, but has not confirmed exactly what data was taken. The irony is hard to miss: a company built on preserving memories can't preserve its own customer data. If you've ever bought a Kodak product online, used Kodak's cloud services, or created a Kodak account, check your email for breach notifications and change your passwords now.
What Happened to Kodak
Kodak, the 138-year-old photography company, confirmed a data breach on June 17, 2026 after the cybercriminal group ShinyHunters claimed to have stolen over 2.2 million records containing customer personally identifiable information and internal corporate data. ShinyHunters first listed Kodak on its dark web leak site on June 15, giving the company until June 18 to make contact before publishing the stolen files.
Kodak's official statement said the company "recently discovered that an unauthorized third party illegally gained temporary access to a limited amount of company data." The company said it engaged external cybersecurity experts, is working with law enforcement, and is "confident the incident was limited in scope and has been contained."
What Kodak has not said is exactly what was stolen. The "2.2 million records" figure comes from ShinyHunters, not from Kodak. The company has not confirmed the number, the type of data taken, or whether photos, payment information, or other sensitive customer data was included. ShinyHunters has also not released proof samples, which is unusual for a group that typically posts evidence to pressure victims.
Who Are ShinyHunters
ShinyHunters is one of the most active cybercriminal groups operating today, responsible for some of the largest data breaches in recent history. Their confirmed attacks include:
- Canvas (May 2026) - 275 million student and educator records stolen from Instructure's learning management system across nearly 9,000 educational institutions worldwide
- Ticketmaster (2024) - 560 million customer records including phone numbers and partial credit card details stolen from Live Nation's database
- AT&T - customer data from one of America's largest telecommunications providers
- ADT - home security company breached through social engineering, where an employee was called and tricked into providing Okta single sign-on credentials
The group's recent attacks have followed a pattern: exploiting Salesforce environments and OAuth tokens found in source code repositories. For the Canvas breach, they used cross-site scripting vulnerabilities in free teacher accounts to escalate to administrative access. Whether the Kodak attack used a similar method hasn't been disclosed.
Why Photography Companies Keep Getting Hacked
Kodak isn't the first photography-adjacent company to lose customer data. In the last year alone, we've seen breaches at Flickr (35 million users exposed), the Uffizi Gallery's photo archive, and multiple AI photo editors that leaked 1.5 million user photos.
Photography companies make attractive targets for a specific reason: they sit on unusually rich customer data. Beyond the standard name-and-email combination, photo platforms often store EXIF metadata (GPS coordinates, device information, timestamps), facial data from uploaded images, payment details from print orders, and sometimes the photos themselves. A single record from a photography company can be worth more than a record from a retailer because it contains multiple categories of personally identifiable information.
There's also a legacy infrastructure problem. Companies like Kodak have been around for decades, which means their digital systems are often a patchwork of old and new. Legacy databases that were perfectly secure in 2010 become vulnerabilities in 2026 when they're connected to modern cloud services, APIs, and third-party integrations.
How to Check If You're Affected
Kodak hasn't published a list of affected users or set up a dedicated breach notification page yet. Until they do, here's what you should check:
- Check your email for any communications from Kodak about the breach. Companies are legally required to notify affected individuals in most jurisdictions.
- Search Have I Been Pwned (haveibeenpwned.com) for your email address. The site typically adds breach data within days of public disclosure.
- Review your Kodak account at kodak.com. If you've ever ordered prints, used Kodak Moments, registered a camera, or signed up for any Kodak service, your data could be in the stolen records.
- Check for unauthorized activity on any account where you used the same password as your Kodak account. Credential stuffing - using stolen username/password pairs on other sites - is the most common way breached data is exploited.
What You Should Do Right Now
Whether or not you're confirmed as affected, these steps protect you from this breach and the next one:
- Change your Kodak password immediately. If you reused that password anywhere else, change it there too. Use a password manager to generate unique passwords for every service.
- Enable two-factor authentication on every account that supports it, starting with your email and financial accounts.
- Watch for phishing attempts. After breaches, attackers send emails impersonating the breached company. Any email from "Kodak" asking you to click a link or verify your account should be treated with suspicion. Go directly to kodak.com instead.
- Freeze your credit if you suspect financial information was included. Credit freezes are free at all three major bureaus (Equifax, Experian, TransUnion).
- Audit which companies have your data. Every service you create an account with is a potential breach target. The fewer accounts you maintain, the smaller your attack surface.
The Bigger Problem: Every Company Is a Data Liability
The Kodak breach isn't surprising because of what was stolen. It's significant because of what it represents: even companies whose entire identity revolves around photographs and memories can't guarantee the safety of your personal information.
ShinyHunters' target list tells the story. They've hit an education platform (Canvas), a ticketing company (Ticketmaster), a home security firm (ADT), a telecom (AT&T), and now a photography company (Kodak). The pattern isn't industry-specific. It's universal. Any company that stores customer data is a potential target, and the question isn't whether they'll be breached but when.
This doesn't mean you should stop using online services. It means you should be intentional about which services you trust with which data. A privacy-first approach to photo sharing means choosing platforms that collect the minimum data necessary, store it in jurisdictions with strong privacy laws, and don't build business models around mining your information.
Frequently Asked Questions
What is the best way to share photos without risking a data breach?
Choose a platform that collects minimal personal data and doesn't require recipients to create accounts. Viallo lets you share photo albums through private links without collecting recipient data at all - viewers don't need to sign up, so there's no account data to steal. Google Photos and iCloud require accounts on both ends, which means more stored user data and a larger breach surface.
How do I check if my data was stolen in the Kodak breach?
Monitor haveibeenpwned.com for your email address - the site adds breach data as it becomes available. Also check your email for official notifications from Kodak, which is legally required to inform affected users. If you've ever created a Kodak account, ordered prints through Kodak Moments, or registered a Kodak product, change your password now regardless of whether you receive a notification.
Is it safe to store photos with any company after the Kodak breach?
No online service is immune to breaches, but some are safer than others. Look for platforms that store data in GDPR-compliant jurisdictions, collect minimal personal information, and don't scan or analyze your photos for AI training. Viallo stores photos on EU-hosted servers with no AI scanning and no data mining. Self-hosted alternatives like Immich eliminate third-party risk entirely but require technical setup.
What is the difference between a data breach and a ransomware attack?
A data breach involves unauthorized access to and theft of data. A ransomware attack encrypts a victim's files and demands payment to unlock them. ShinyHunters' attack on Kodak is technically a data breach with extortion - they stole data and threatened to publish it unless Kodak cooperated. The distinction matters because in a ransomware attack, data might be encrypted but not exfiltrated, while in a breach with extortion, the data is definitely in the attacker's hands.
Can I delete my Kodak account to protect my data after the breach?
You can delete your Kodak account, but it won't undo the breach - the stolen data is already in ShinyHunters' possession. Deleting your account prevents future data collection and reduces your exposure in any subsequent breach. Under GDPR, European users can request complete data deletion. Under California's CCPA, US residents have similar rights. Kodak is legally required to comply with these requests regardless of the breach.