Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: shinyhunters (42 articles)Clear

ShinyHunters breach of Berkadia exposes 305,000 in real estate finance

Breach-tracking service Have I Been Pwned has confirmed that 305,216 accounts were exposed in the March attack on Berkadia, a large US commercial real estate finance firm that handles mortgage banking and investment sales. The extortion group ShinyHunters claimed the intrusion, saying it stole millions of Salesforce records containing personal and internal corporate data, around 27GB compressed, and threatened to leak them after the company did not meet its deadline. The breach is part of a broad ShinyHunters campaign this year against companies' Salesforce environments, typically entered by socially engineering employees or help desks rather than exploiting a software flaw.

Check
If you work with or for Berkadia, check whether your email appears in Have I Been Pwned and watch for targeted phishing referencing mortgage, loan, or real estate dealings.
Affected
Berkadia clients, partners, and staff whose personal and business data sat in the breached Salesforce records (305,216 accounts confirmed); the broader ShinyHunters campaign targets corporate Salesforce tenants.
Fix
Reset and stop reusing any passwords tied to Berkadia dealings and enable phishing-resistant MFA. Organizations should lock down Salesforce access, restrict bulk exports, and harden help-desk identity verification.

K-12 platform Infinite Campus breach confirmed, 137,000 student-linked accounts

Have I Been Pwned has confirmed 137,123 accounts exposed in a breach of Infinite Campus, a widely used K-12 student information system in the US. The extortion group ShinyHunters claimed the attack back in March, posting that it had stolen personal data and internal corporate information. Because student information systems hold sensitive records on minors and their families, exposed data raises the risk of identity theft and highly targeted phishing aimed at parents, students, and school staff. The incident fits the same ShinyHunters data-theft pattern seen across the education sector this year, including the much larger Canvas breach.

Check
School districts using Infinite Campus should confirm whether their tenant was affected and notify families; individuals should watch for phishing or fraud referencing schools, student accounts, or enrollment.
Affected
Students, parents, and school staff whose data is held in affected Infinite Campus deployments (137,123 accounts confirmed); minors' records carry long-term identity-theft risk.
Fix
Reset exposed credentials, enable MFA on school and family accounts, and brief parents and staff to verify any school-related message before clicking. Districts should review SaaS access controls and export limits.

Oracle issues emergency PeopleSoft fix as exploited zero-day drives breaches

The ShinyHunters data-theft wave against Oracle PeopleSoft, covered yesterday, now has a confirmed root cause: a zero-day. Oracle has issued an out-of-band emergency mitigation for CVE-2026-35273, a critical flaw (rated 9.8) in PeopleSoft PeopleTools that lets an unauthenticated attacker run code on the server over HTTP, with no login required. Google's Mandiant says the bug was exploited from May 27 to June 9, before any advisory existed, and notified more than 100 affected organizations, 68 percent of them universities. The exposed component is the Environment Management Hub. Affected versions are PeopleTools 8.61 and 8.62; a full patch is still pending.

Check
Determine whether PeopleSoft PeopleTools 8.61 or 8.62 is in use and whether the Environment Management Hub is reachable externally, then review logs for the published attacker IPs and credential-spray activity.
Affected
Oracle PeopleSoft Enterprise PeopleTools 8.61 and 8.62 with the Environment Management Hub exposed to untrusted networks (CVE-2026-35273); PeopleSoft Enterprise Applications customers may also be affected.
Fix
Apply Oracle's emergency mitigations from the June out-of-band alert immediately and restrict access to the Environment Management Hub, then watch for the full patch and assume compromise where exposed.

ShinyHunters extorts Oracle PeopleSoft customers in widening data-theft spree

The extortion group ShinyHunters is running a wave of data-theft attacks against organizations using Oracle PeopleSoft, the enterprise software that large institutions rely on for HR, payroll, finance, and student records. Both cloud and on-premises instances are affected, and the gang claims data from more than 100 organizations. Attackers typically log in with stolen employee credentials, move through the PeopleSoft environment, and exfiltrate large datasets before demanding a Bitcoin ransom. A confirmed victim is the University of Nottingham, where a breach of an Oracle student-records system exposed 454,635 accounts. Researchers have shared attacker IP addresses and noted the use of MeshCentral remote-access agents.

Check
Review PeopleSoft access logs for logins from unfamiliar IPs or locations, check for MeshCentral or other unexpected remote-access agents, and confirm whether your org received a ShinyHunters extortion demand.
Affected
Organizations running cloud or on-premises Oracle PeopleSoft, particularly those with reused or phishable employee credentials and limited monitoring of administrative access to HR, finance, and student-records modules.
Fix
Enforce phishing-resistant MFA on all PeopleSoft accounts, rotate exposed credentials, block the shared attacker IPs, remove unauthorized remote-access tools, and tighten access controls and logging on instances.

HVAC distributor Baker breach exposes 102,000 accounts to ShinyHunters

Baker Distributing, one of the largest US wholesalers of heating, cooling, and refrigeration equipment, has been hit by the extortion group ShinyHunters, which stole company data and posted it after the company did not pay. Breach-tracking service Have I Been Pwned has now confirmed 102,935 affected accounts; the gang originally claimed more than 260,000 stolen records pulled from Salesforce and internal SharePoint sites, including HR documents. ShinyHunters has been on a tear this year, breaking into corporate SaaS accounts by tricking IT help desks into resetting credentials. Exposed personal and business data fuels follow-on phishing aimed at Baker's customers and staff.

Check
If you work with or for Baker Distributing, check whether your email appears in Have I Been Pwned and watch inboxes for HVAC or invoice-themed phishing referencing the breach.
Affected
Baker Distributing employees, contractors, and business customers whose personal and corporate data sat in the breached Salesforce and SharePoint systems; 102,935 accounts confirmed.
Fix
Reset passwords reused with Baker accounts and enable phishing-resistant MFA. For your own org, lock down help-desk identity resets with callback verification to blunt ShinyHunters-style social engineering.

ShinyHunters publishes Charter Communications data after failed extortion - up to 5 million customer records now leaked, not just claimed

The ShinyHunters extortion group has now published the Charter Communications data it stole, after the telecom giant apparently refused to pay. Earlier reporting put the breach at 4.9 million HIBP-confirmed unique accounts; ShinyHunters' leak is described as potentially impacting up to 5 million customers. Charter is one of the largest US telecoms, providing internet, cable, mobile, and phone services to residential and business customers under the Spectrum brand. The data was originally exfiltrated via voice-phishing of a Microsoft Entra account on April 1 and a Salesforce export. With the data now public rather than merely claimed, the phishing and identity-theft risk to affected customers rises sharply.

Check
If you are a Charter/Spectrum customer or vendor, treat the leaked dataset as public now. Watch for Spectrum-themed phishing and account-recovery fraud over the next 60-90 days.
Affected
Up to 5 million Charter/Spectrum customers whose records are now publicly leaked, not just claimed. Names, contact details, and plan information enable targeted phishing and impersonation.
Fix
Affected individuals: rotate Spectrum credentials, enable MFA, scrutinize unsolicited Charter contacts. Organizations: refresh breach-monitoring watchlists and brief help desks against Charter-themed social engineering.

ShinyHunters Charter Communications breach hit 4.9 million unique accounts (42M records claimed) - HIBP confirms scale

HIBP has confirmed 4.9 million unique accounts (4,851,517 email addresses) were affected by the Charter Communications breach disclosed earlier this week. The ShinyHunters extortion gang initially claimed 42 million records exfiltrated from Charter's Salesforce instance via voice-phishing of a Microsoft Entra account on April 1; the unique-account count is lower because individuals appeared on multiple records (customer + business + plan-info). Charter publicly denies that CPNI (Customer Proprietary Network Information) or sensitive personal data was taken. The HIBP entry refines the scope to a defender-actionable figure and lets customers and IR teams check exposure across their workforce.

Check
Run your @company.com domains against HIBP for Charter exposure. If you are a Charter customer or vendor, expect targeted vishing themed around Spectrum service issues for the next 60 days.
Affected
4.9 million unique Charter/Spectrum customer email addresses now in HIBP. SaaS-extortion playbook (Salesforce + Entra/Okta SSO + BPO vishing) remains the broader risk pattern.
Fix
Affected individuals: rotate Spectrum credentials, enable MFA, scrutinize unsolicited Charter calls. Organizations with Salesforce + Entra: enforce phishing-resistant MFA on all admin and BPO identities.

Carnival Corporation confirms breach affecting 5,995,277 customers - April 10 social-engineering of employee account, ShinyHunters claimed

Carnival Corporation, the world's largest cruise-line operator with 90+ ships across Carnival, Princess, Holland America, Costa, P&O, Cunard, AIDA, and Seabourn, has confirmed a breach affecting 5,995,277 customers. The intrusion began April 10 when an employee was social-engineered into giving up account credentials; Carnival's IT team detected the unauthorized activity on April 14. ShinyHunters claimed responsibility in April and listed the company on its data leak site. Carnival served around 13.5 million guests in 2024 across its fleet. The company is now notifying affected individuals. The pattern aligns with the broader ShinyHunters SaaS-extortion playbook documented across Charter, Instructure, and others over the past quarter.

Check
If your @company.com domains include former Carnival, Princess, Holland America, Cunard, AIDA, or Seabourn customers, prepare for targeted phishing themed around bookings, refunds, and loyalty programs.
Affected
5,995,277 Carnival customers across nine cruise brands. Initial access via social-engineering an employee account on April 10. Same ShinyHunters playbook as Charter and Instructure.
Fix
Enforce phishing-resistant MFA across cruise/hospitality estate. Train front-line staff against social-engineering for account credentials. Audit Salesforce/Entra exports for bulk-data signals.

Charter Communications confirms ShinyHunters breach: 40M records via vishing-compromised Microsoft Entra employee account and Salesforce export

US broadband giant Charter Communications has confirmed a data breach after the ShinyHunters extortion group listed it on its Tor leak site claiming 40 million stolen consumer and business records. ShinyHunters told BleepingComputer the intrusion began April 1 via a vishing attack that compromised an employee's Microsoft Entra account, used to export records from the company's Salesforce instance. Stolen data reportedly includes names, email addresses, addresses, phone numbers, plan information, and some CPNI (Customer Proprietary Network Information). Charter publicly denies CPNI was taken. ShinyHunters' SaaS-extortion playbook continues: Salesforce + Entra/Okta SSO + BPO vishing is the same model used against Instructure and others.

Check
Audit Microsoft Entra and Salesforce admin sign-ins for unusual IPs and large record exports around April 1, 2026. Search service-account activity for bulk data pulls.
Affected
Charter Communications/Spectrum customers (consumer and business). ShinyHunters claims 40M records exfiltrated via vishing of an Entra account. Broader: any org with Salesforce + Entra/Okta SSO + BPO support.
Fix
Enforce phishing-resistant MFA on every Entra account, especially help-desk and BPO identities. Apply Salesforce Shield Event Monitoring to alert on bulk exports. Train BPO/help-desk staff against vishing.

ShinyHunters drains 7-Eleven's Salesforce: 600K+ records, franchisee documents, ransom refused

7-Eleven has confirmed that an unauthorized party reached systems holding its franchisee documents on April 8, 2026. The extortion group ShinyHunters claims it stole more than 600,000 Salesforce records of personal and corporate information, posted samples on its Tor leak site, and demanded payment by April 21 or it would publish everything. 7-Eleven says the leaked files came from franchise applications and that it is notifying affected individuals. The breach fits the pattern ShinyHunters has run against Google, Cisco, Vimeo, Rockstar Games, Instructure, Zara, and the European Commission since mid-2025 - all delivered through compromised Salesforce instances rather than direct break-ins.

Check
Audit Connected Apps and OAuth consents in Salesforce. Review login history for unfamiliar IPs and service-account sessions that exported large record sets in the last 90 days. Verify MFA on every API user.
Affected
Organizations running Salesforce without Conditional Access on API users, without IP allowlisting on integration users, or with high-privilege Connected Apps that have not been reviewed in the last quarter.
Fix
Revoke unused Connected Apps and refresh tokens. Enforce MFA and IP restrictions on every Salesforce identity. Apply Shield Event Monitoring to alert on bulk exports and report downloads. Rotate API keys with broad permissions.