Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: shinyhunters (42 articles)Clear

Two new cybercrime crews are calling employees, getting their MFA codes by phone, then stealing data from SaaS apps within hours

CrowdStrike disclosed two cybercrime groups - Cordial Spider and Snarky Spider - running fast SaaS extortion attacks that stay almost entirely inside legitimate SaaS environments. The pattern: call employees pretending to be IT support, walk them through an 'MFA reset' that's actually a credential-harvesting site that mimics their company's branding, capture the password and MFA code, then immediately log into SSO and pivot through Microsoft 365, Salesforce, and other SaaS apps. The attackers register their own device for MFA and exfiltrate data within hours. Both groups overlap with the broader ShinyHunters ecosystem (UNC6240/UNC6661/UNC6671).

Check
Run a vishing-specific awareness exercise this week. Tell every employee that real IT will never ask them to read out an MFA code over the phone or enter it on a website during a call.
Affected
Organizations with SSO across Microsoft 365, Salesforce, Okta, Google Workspace, or similar SaaS where one set of credentials reaches multiple apps. Acute risk for help-desk-heavy enterprises (financial services, healthcare, large retail) where IT calls feel routine. Any company with a public corporate logo and SSO landing page is in the target pool.
Fix
Make it policy that IT never asks for MFA codes by phone. Require step-up authentication for any MFA registration change. Alert on new MFA device registrations from unfamiliar IPs. In Microsoft 365, monitor for OAuth grants to ToogleBox Recall and similar inbox-rule apps - these were used by Cordial Spider to delete security alerts. Use Mandiant's published IoCs to block known credential-harvesting domains.

Pitney Bowes customer and employee data leaked publicly - 8.2 million email addresses plus internal records with employee job titles

Pitney Bowes customer and employee data was leaked publicly after the company refused to pay ShinyHunters' extortion demand. Have I Been Pwned added the breach yesterday with 8.2 million unique email addresses, plus names, phone numbers, and physical addresses. A subset includes Pitney Bowes employee records with job titles - a useful starter pack for highly-targeted phishing against named staff. The data came from a misconfigured Salesforce Experience Cloud 'Guest User' permission that let unauthenticated visitors query CRM records directly. ShinyHunters had posted Pitney Bowes on its leak site April 18 with a three-day deadline.

Check
If your organization uses Salesforce Experience Cloud, audit Guest User permissions today and remove read access from CRM objects that don't need to be public.
Affected
Pitney Bowes customers (8.2M email addresses, names, phones, addresses now public) and employees with job titles in the leak. Any organization running Salesforce Experience Cloud with default Guest User permissions has the same exposure - this is a configuration failure, not a Salesforce flaw.
Fix
Run Salesforce's Guest User Permissions report and tighten anything reading customer or contact data. Confirm no Experience Cloud public site exposes Account, Contact, Lead, or Case objects without a clear public-data reason. Pitney Bowes employees should treat 'CEO needs you to wire' messages with extra suspicion - your name and title are now public.

ADT customer breach details now public on Have I Been Pwned - 5.5 million records confirmed, more than the 10 million ShinyHunters originally claimed but with worse data

Update on the ADT breach we covered April 25: Have I Been Pwned added the leaked dataset yesterday with 5,488,888 unique email addresses confirmed - lower than ShinyHunters' original 10 million claim but still the largest US home-security customer leak on record. Beyond the email, name, phone, and address fields ADT originally disclosed, the leak includes details ADT downplayed: account creation dates, premise types, internal account flags, ADT installer IDs, and prospect/customer status. None catastrophic alone, but combined gives attackers enough context to run convincing 'security audit' phone scams against named customers with real install dates and installer names.

Check
If you're an ADT customer, treat any inbound call referencing your real install date or installer name as hostile - those details are now public.
Affected
All 5,488,888 ADT customers and prospects - now indexable on HIBP. Acute risk for customers whose installer IDs are in the leak: scammers can call referencing 'Mike from your install on March 14, 2022' and sound legitimate enough to social-engineer security code resets. Elderly customers and high-value households are the highest-risk segment for follow-on physical security scams.
Fix
ADT customers should set a verbal codeword with ADT's real customer service line and refuse to verify identity to any inbound caller without it. Treat any 'free security upgrade' as a scam unless you initiated the call. Brief elderly family members specifically - they're the prime target for follow-on scams using leaked install details. Pressure ADT for credit monitoring if the SSN/Tax ID subset includes you.

Udemy customer and instructor data leaked publicly after ShinyHunters' extortion deadline expires - 1.4 million records including PayPal payout details

Online learning giant Udemy's customer and instructor data was leaked publicly today after the company refused to pay ShinyHunters' extortion demand. Have I Been Pwned added the breach yesterday with 1.4 million unique email addresses. The dataset goes well beyond contact information: it includes full names, physical addresses, phone numbers, employer details, and instructor payout methods - PayPal email addresses, mailing addresses for cheques, and bank transfer details. Udemy was listed on ShinyHunters' 'pay or leak' portal April 24 with a three-day deadline. The company has not publicly confirmed the breach or said how attackers got in.

Check
Reset your Udemy password if you have an account, especially if you're an instructor with payout details on file, and watch for highly targeted phishing.
Affected
Udemy customers and instructors with accounts before April 2026, particularly instructors whose PayPal addresses, cheque mailing addresses, and bank transfer details are in the leak. Any organization using Udemy for staff training has employee details exposed and should expect tailored phishing referencing real course history.
Fix
Reset Udemy passwords and rotate any password reused on other accounts. Instructors should monitor PayPal and bank accounts and contact PayPal to flag the email as compromised. Brief staff that any 'Udemy' email referencing their real course history is potentially hostile - go to udemy.com directly rather than clicking links. Add Udemy lookalike domains to your DMARC monitoring.

ADT confirms breach after ShinyHunters claims 10 million records stolen via vishing-compromised Okta SSO and Salesforce exfil

ADT, the largest US home security company, filed an SEC 8-K on April 24 confirming a breach detected April 20. ShinyHunters listed ADT on its 'pay or leak' portal claiming over 10 million records with an April 27 deadline. ADT says the dataset was limited to names, phone numbers, addresses, plus DOBs and last-four SSN/Tax IDs for a small subset; no payment data was accessed and alarm systems were unaffected. Initial access was a vishing attack against an employee that compromised an Okta SSO session, which attackers used to reach ADT's Salesforce - the same playbook ShinyHunters ran against Carnival.

Check
If you run Salesforce behind Okta or another SSO, audit conditional-access policies this week and assume vishing-driven session-hijack is a credible vector for your tenant.
Affected
ADT customers, particularly the prospective customers confirmed in the dataset. From a security standpoint: any organization using Salesforce behind SSO without device-bound auth or per-session re-auth on bulk exports. The pattern across ShinyHunters victims (Carnival, ADT, Zara, 7-Eleven) shows MFA alone does not stop this group once help-desk vishing succeeds.
Fix
Brief frontline staff on the vishing pattern: spoofed VoIP, attacker poses as IT, walks user through MFA enrollment. Run a tabletop. In Okta and Entra ID, alert on new device registrations and on bulk Salesforce exports outside business hours. Tighten Permission Set Groups for bulk exports. Consider FIDO2 or platform passkeys for any role with bulk customer-data access.

Medtronic confirms breach after ShinyHunters claims theft of 9 million records and terabytes of internal data

Medtronic, the world's largest medical device maker, confirmed a breach of its corporate IT systems in an SEC filing April 24. ShinyHunters had listed Medtronic on its leak site April 18 claiming theft of more than 9 million records of personal data plus terabytes of internal corporate documents, with an April 21 deadline. The Medtronic listing has since been removed - a strong signal the company either paid the ransom or is still negotiating. Medtronic says product safety, manufacturing, distribution, and patient care are unaffected; the breach was confined to corporate IT, which is segregated from device infrastructure. Investigation into what personal data was exposed is ongoing.

Check
If you or staff have ever been a Medtronic patient, vendor, contractor, or applicant, watch for highly-targeted phishing referencing real medical device or employment details.
Affected
Medtronic patients (90,000+ employees, hundreds of millions of patients), suppliers, and former staff are all in scope until Medtronic clarifies what 9M+ records contain. Healthcare organizations sharing patient data with Medtronic for device monitoring, recall tracking, or research are exposed if those communications are in the leak.
Fix
Affected individuals: enable MFA on patient portals, monitor explanation-of-benefits statements, and report any unsolicited medical-device prompt or service call. Healthcare organizations: pull your data-sharing inventory with medical device vendors and confirm breach-notification SLAs. Companies sharing confidential records with Medtronic should assume those documents may be in the leak set.

Carnival confirms 7.5 million Holland America Mariner Society loyalty records leaked after ShinyHunters refused extortion deadline

Carnival Corporation has been confirmed as a ShinyHunters breach victim, and the data is now public. Have I Been Pwned added the breach on April 23 with 7,531,359 unique email addresses drawn from 8.7 million records. The data comes from the Mariner Society loyalty program operated by Holland America Line, one of Carnival's cruise brands, and contains full names, dates of birth, genders, email addresses, and loyalty program status fields. ShinyHunters initially listed Carnival on its 'pay or leak' portal on April 18 with an April 21 deadline alongside Zara, 7-Eleven, and roughly 40 other organizations. When Carnival did not pay, the group published the dataset on its leak site this week. Carnival confirmed to reporters that the initial access came from a phishing compromise of a single employee account - a reminder that ShinyHunters continues to rely on human-layer intrusion rather than novel exploits. For anyone whose email, date of birth, or customer record appears in the dataset, the immediate risk is highly targeted phishing and account-takeover attempts that reference genuine Holland America booking details.

Check
If your organization has ever done corporate bookings, incentive travel, or employee perks through Holland America, Princess, or other Carnival brands, notify affected staff today and watch for cruise-themed phishing referencing genuine loyalty-program details over the coming weeks.
Affected
Anyone who has a Mariner Society loyalty account with Holland America Line, and by extension anyone who has booked a Holland America cruise through loyalty channels. The exposed fields (name, date of birth, email, gender, loyalty status) are foundational identity data - strong enough to power convincing impersonation, knowledge-based authentication bypass, and targeted spear-phishing.
Fix
Check Have I Been Pwned to confirm whether your address is in the Carnival dataset. If it is, watch for phishing emails pretending to be from Holland America or other Carnival brands that reference your real past bookings or loyalty tier - treat any such message as hostile and navigate to the Holland America site directly rather than clicking links. Rotate passwords on any account that shares a password with Mariner Society. At an organizational level, add 'holland-america.com' and 'hollandamericafund.com' lookalike domains to your DMARC and brand-monitoring watchlists, and brief travel-desk staff that any Mariner Society outreach should be verified by phone.

Vercel breach root cause revealed: Lumma Stealer on a Context.ai employee's laptop, delivered via Roblox auto-farm scripts

Follow-up: this is the origin-story update to the Vercel breach disclosed April 19 (which our publication did not cover at the time). Hudson Rock traced the initial compromise to a Context.ai employee whose laptop was infected by Lumma Stealer malware in February 2026 after the user downloaded Roblox 'auto-farm' scripts and game-exploit executors - a notorious delivery vector for infostealers. The malware harvested that employee's Google Workspace credentials plus access keys and logins for Supabase, Datadog, and Authkit. The haul also included the support@context.ai account, letting the attacker escalate inside Context.ai, reach its AWS environment, and then pivot through compromised Google Workspace OAuth tokens into a Vercel employee's enterprise workspace that had granted the 'AI Office Suite' app 'Allow All' permissions. The attacker (ShinyHunters, now selling the data for $2M on BreachForums) read Vercel environment variables not flagged as 'sensitive.' Google pulled the Context.ai Chrome extension (ID omddlmnhcofjbnbflmjginpjjblphbgk) on March 27 - it embedded an OAuth grant for read access to users' entire Google Drive. The lesson is brutal: one employee's personal risky behavior on a work device cascaded through four SaaS platforms into a supply-chain breach that a threat actor is now auctioning.

Check
If any employee at your company has ever signed into Context.ai with a corporate Google Workspace account, treat that account as compromised and begin full credential rotation and OAuth review immediately.
Affected
Any Google Workspace tenant where an employee granted the Context.ai 'AI Office Suite' OAuth app broad permissions (specifically OAuth app IDs 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com and 110671459871-f3cq3okebd3jcg1lllmroqejdbka8cqq.apps.googleusercontent.com). Any Vercel customer whose environment variables were not explicitly marked 'sensitive'. Any organisation whose employees also install uncurated browser extensions or run game cheats on corporate devices (a pattern that keeps reappearing in infostealer cases).
Fix
In Google Workspace admin, search the OAuth app inventory for the two Context.ai client IDs above and revoke them from every user. On Vercel, audit and rotate every environment variable not marked 'sensitive' across every project, and going forward default-enable sensitive flags on new environment variables. Rotate Supabase, Datadog, and Authkit tokens that were ever accessible from a Context.ai-linked Google account. Pull 60 days of audit logs for each affected SaaS and look for impossible-travel sign-ins, new OAuth grants, and unexpected API-key creation. Block game-cheat and executor download domains at the corporate DNS layer and communicate the Roblox-script risk directly to staff.

Vercel confirms breach - attackers got in through Context.ai AI tool's Google Workspace OAuth, stole customer environment variables

Cloud development platform Vercel disclosed a security incident on April 19 after a threat actor claiming to be ShinyHunters posted stolen data for sale on a hacking forum. Vercel CEO Guillermo Rauch confirmed the initial access came through a breach at Context.ai, an enterprise AI platform one Vercel employee had signed up for using their Vercel enterprise account with 'Allow All' OAuth permissions. Attackers compromised Context.ai, stole the OAuth token, took over the employee's Google Workspace account, and pivoted into Vercel environments. Once inside, they accessed environment variables not marked as 'sensitive' - these are stored unencrypted at rest, unlike sensitive env vars which Vercel encrypts. The attacker posted 580 employee records (names, emails, account status, activity timestamps) as a teaser, plus screenshots of an internal Vercel Enterprise dashboard. They claim to also have access keys, source code, database data, and API keys, though Vercel characterizes impact as a 'limited subset' of customers. Mandiant is engaged. This is the cleanest real-world example to date of the AI supply chain risk pattern everyone has been warning about: a third-party AI tool with broad OAuth scopes becomes the initial access vector into your primary infrastructure.

Check
If you deploy apps on Vercel, rotate all environment variables immediately - especially any not marked 'sensitive'. Also audit every third-party AI/SaaS tool that has OAuth access to your Google Workspace or similar identity provider.
Affected
Any Vercel customer with environment variables not marked 'sensitive'. Vercel has directly contacted a 'limited subset' of customers whose credentials were compromised. If you weren't contacted, Vercel says it has no evidence of your data being accessed at this time. Separately: any organization using Context.ai with Google Workspace OAuth granted 'Allow All' permissions.
Fix
Rotate every Vercel environment variable and redeploy applications to pick up the new values. Mark any secret as 'sensitive' in Vercel's dashboard going forward - this encrypts at rest. In Google Workspace Admin, search for and revoke OAuth App ID 110671459871-30f1spbu0hptbs60cb4vsmv79i7bbvqj.apps.googleusercontent.com. Review Google Workspace audit logs between April 1-19 for unusual OAuth grants or token access. Audit every third-party tool connected to your Google Workspace - specifically those granted broad OAuth scopes - and remove any your team isn't actively using.

ShinyHunters breach SaaS integrator Anodot, steal auth tokens to raid Snowflake customers - 12+ companies hit

ShinyHunters breached Anodot, an AI-based data anomaly detection platform acquired by Glassbox in late 2025, and stole authentication tokens that connected Anodot to its customers' cloud environments. Using those tokens, the attackers accessed Snowflake data warehouses belonging to over a dozen companies and began exfiltrating data last Friday - timed to the Easter/Passover holiday for maximum dwell time. ShinyHunters also attempted to use the stolen tokens against Salesforce instances but were blocked by AI detection. The group is now extorting affected companies, demanding ransom payments to prevent data release. Anodot's customer list includes Puma, SAP, T-Mobile, and UPS. This is the same playbook ShinyHunters used in the 2025 Snowflake campaign and the Gainsight/Salesforce attacks - breach a trusted integration, not the platform itself.

Check
Audit every third-party SaaS integration connected to your Snowflake, Salesforce, or other cloud data platforms. Identify which ones hold active authentication tokens with read access to your data.
Affected
Any organization using Anodot (now Glassbox) integrations connected to Snowflake, Salesforce, S3, or Amazon Kinesis. Broader risk: any company with SaaS-to-SaaS integrations that use long-lived OAuth tokens or API keys.
Fix
Revoke and rotate all authentication tokens for Anodot/Glassbox integrations immediately. Review Snowflake query logs for unusual data access patterns since late March. Enable network policies to restrict Snowflake access by IP. Audit all third-party integrations for least-privilege access - most SaaS connectors have broader permissions than they need. Monitor for ShinyHunters extortion communications.