Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7

ShinyHunters breach SaaS integrator Anodot, steal auth tokens to raid Snowflake customers - 12+ companies hit

ShinyHunters breached Anodot, an AI-based data anomaly detection platform acquired by Glassbox in late 2025, and stole authentication tokens that connected Anodot to its customers' cloud environments. Using those tokens, the attackers accessed Snowflake data warehouses belonging to over a dozen companies and began exfiltrating data last Friday - timed to the Easter/Passover holiday for maximum dwell time. ShinyHunters also attempted to use the stolen tokens against Salesforce instances but were blocked by AI detection. The group is now extorting affected companies, demanding ransom payments to prevent data release. Anodot's customer list includes Puma, SAP, T-Mobile, and UPS. This is the same playbook ShinyHunters used in the 2025 Snowflake campaign and the Gainsight/Salesforce attacks - breach a trusted integration, not the platform itself.

Check
Audit every third-party SaaS integration connected to your Snowflake, Salesforce, or other cloud data platforms. Identify which ones hold active authentication tokens with read access to your data.
Affected
Any organization using Anodot (now Glassbox) integrations connected to Snowflake, Salesforce, S3, or Amazon Kinesis. Broader risk: any company with SaaS-to-SaaS integrations that use long-lived OAuth tokens or API keys.
Fix
Revoke and rotate all authentication tokens for Anodot/Glassbox integrations immediately. Review Snowflake query logs for unusual data access patterns since late March. Enable network policies to restrict Snowflake access by IP. Audit all third-party integrations for least-privilege access - most SaaS connectors have broader permissions than they need. Monitor for ShinyHunters extortion communications.

CERT-EU confirms TeamPCP breached European Commission via Trivy - 30 EU entities exposed, 340GB leaked

The European Commission cloud hack we first reported on March 29 is far worse than initially disclosed. CERT-EU now confirms TeamPCP used an AWS API key stolen through the Trivy supply chain attack to breach the Commission's Amazon cloud environment on March 10 - five days before anyone noticed. The stolen data includes personal information, usernames, and 52,000 email files across 71 hosted clients: 42 internal Commission departments and at least 29 other EU entities. ShinyHunters published the full 340GB dataset on their leak site.

Check
If your organization interacted with any Europa.eu hosted service, assume your contact data may be in the leaked dataset.
Affected
42 internal European Commission clients and at least 29 other EU entities using the Europa.eu web hosting service. Any organization that exchanged emails with these entities may have data in the leak.
Fix
Monitor for credential exposure from the leaked dataset. If you used Trivy in CI/CD pipelines, rotate all AWS keys and pipeline secrets immediately. Block scan.aquasecurtiy[.]org and 45.148.10.212. Pin Trivy to v0.69.3, trivy-action to v0.35.0, setup-trivy to v0.2.6.

Hims & Hers discloses breach after ShinyHunters steal millions of Zendesk support tickets via Okta SSO

Telehealth giant Hims & Hers - nearly $1 billion in annual revenue, millions of subscribers - disclosed that hackers stole customer support tickets from its Zendesk instance between February 4-7. The ShinyHunters extortion gang conducted the breach by compromising Okta SSO credentials through social engineering, then pivoting into the Zendesk platform. Stolen data includes names, contact information, and details from support requests. No medical records or doctor communications were compromised. The company took two months to disclose.

Check
Review whether your organization uses Zendesk with Okta SSO integration - this same attack pattern has hit multiple companies recently.
Affected
Any organization using Zendesk integrated with Okta SSO for authentication. Hims & Hers, ManoMano, and Crunchyroll were all breached through this pattern.
Fix
Enforce phishing-resistant MFA (FIDO2 hardware keys) on all Okta accounts - standard TOTP/push MFA can be bypassed by social engineering. Audit Okta sign-in logs for SSO sessions accessing Zendesk from unusual locations. Review third-party SaaS integrations connected through your identity provider.

Cisco breached through Trivy supply chain attack - source code and AWS keys stolen

The TeamPCP supply chain campaign has claimed its biggest victim yet. Attackers used credentials stolen from the Trivy vulnerability scanner compromise to breach Cisco's internal development environment, stealing source code belonging to both Cisco and its customers. Multiple AWS keys were also taken and used for unauthorized activity across Cisco's cloud accounts. The company expects continued fallout from the follow-on LiteLLM and Checkmarx compromises in the same campaign.

Check
If your CI/CD pipelines used Trivy, LiteLLM, or Checkmarx KICS between March 19-27, audit for unauthorized access immediately.
Affected
Any organization that ran compromised versions of Trivy (v0.69.4+), LiteLLM (1.82.7-1.82.8), or Checkmarx KICS GitHub Actions during the exposure windows.
Fix
Pin Trivy to v0.69.3, trivy-action to v0.35.0, setup-trivy to v0.2.6. Rotate all pipeline secrets, AWS keys, SSH keys, and tokens. Block scan.aquasecurtiy[.]org and 45.148.10.212. Search GitHub orgs for repositories named tpcp-docs - their presence means data was exfiltrated.

CareCloud confirms hackers accessed patient health records in 8-hour breach

Healthcare software company CareCloud disclosed to the SEC that hackers breached one of its six electronic health record environments on March 16, gaining access to patient medical data for approximately eight hours. The company serves over 40,000 healthcare providers. It's still investigating whether data was exfiltrated, but classified the incident as material on March 24 due to the sensitivity of the records. No ransomware group has claimed the attack.

Check
If your organization uses CareCloud Health for EHR, contact CareCloud for specifics on whether your environment was affected.
Affected
CareCloud Health EHR platform users. One of six EHR environments was compromised.
Fix
Monitor for CareCloud's breach notification updates. Review access logs for unusual activity around March 16. Ensure MFA is enforced on all EHR system access. Prepare for potential patient notification requirements.

European Commission breached through AWS cloud account - 350GB of data reportedly stolen

Hackers broke into the European Commission's Amazon Web Services account and reportedly stole over 350GB of data, including databases and employee information. The breach was discovered on March 24 and affected the cloud infrastructure hosting Europa.eu websites. The Commission says its internal systems weren't impacted. The attacker isn't demanding ransom - they plan to publish the data instead.

Check
Review your organization's AWS account security, especially IAM policies and access keys.
Affected
Any AWS account using static credentials, weak IAM policies, or missing MFA on privileged accounts.
Fix
Enforce MFA on all AWS accounts. Rotate access keys regularly. Audit IAM permissions for least-privilege. Enable CloudTrail for all regions.