ShinyHunters breached Anodot, an AI-based data anomaly detection platform acquired by Glassbox in late 2025, and stole authentication tokens that connected Anodot to its customers' cloud environments. Using those tokens, the attackers accessed Snowflake data warehouses belonging to over a dozen companies and began exfiltrating data last Friday - timed to the Easter/Passover holiday for maximum dwell time. ShinyHunters also attempted to use the stolen tokens against Salesforce instances but were blocked by AI detection. The group is now extorting affected companies, demanding ransom payments to prevent data release. Anodot's customer list includes Puma, SAP, T-Mobile, and UPS. This is the same playbook ShinyHunters used in the 2025 Snowflake campaign and the Gainsight/Salesforce attacks - breach a trusted integration, not the platform itself.
The European Commission cloud hack we first reported on March 29 is far worse than initially disclosed. CERT-EU now confirms TeamPCP used an AWS API key stolen through the Trivy supply chain attack to breach the Commission's Amazon cloud environment on March 10 - five days before anyone noticed. The stolen data includes personal information, usernames, and 52,000 email files across 71 hosted clients: 42 internal Commission departments and at least 29 other EU entities. ShinyHunters published the full 340GB dataset on their leak site.
Telehealth giant Hims & Hers - nearly $1 billion in annual revenue, millions of subscribers - disclosed that hackers stole customer support tickets from its Zendesk instance between February 4-7. The ShinyHunters extortion gang conducted the breach by compromising Okta SSO credentials through social engineering, then pivoting into the Zendesk platform. Stolen data includes names, contact information, and details from support requests. No medical records or doctor communications were compromised. The company took two months to disclose.
The TeamPCP supply chain campaign has claimed its biggest victim yet. Attackers used credentials stolen from the Trivy vulnerability scanner compromise to breach Cisco's internal development environment, stealing source code belonging to both Cisco and its customers. Multiple AWS keys were also taken and used for unauthorized activity across Cisco's cloud accounts. The company expects continued fallout from the follow-on LiteLLM and Checkmarx compromises in the same campaign.
Healthcare software company CareCloud disclosed to the SEC that hackers breached one of its six electronic health record environments on March 16, gaining access to patient medical data for approximately eight hours. The company serves over 40,000 healthcare providers. It's still investigating whether data was exfiltrated, but classified the incident as material on March 24 due to the sensitivity of the records. No ransomware group has claimed the attack.
Hackers broke into the European Commission's Amazon Web Services account and reportedly stole over 350GB of data, including databases and employee information. The breach was discovered on March 24 and affected the cloud infrastructure hosting Europa.eu websites. The Commission says its internal systems weren't impacted. The attacker isn't demanding ransom - they plan to publish the data instead.