Server room with rows of network equipment illuminated by blue and red lights in a dark data center

TL;DR: ShinyHunters (a cybercrime group active since 2019) have executed the most devastating data theft campaign in history across 2025–2026. Using three attack playbooks (voice phishing for SSO credentials, Salesforce Experience Cloud misconfigurations, and OAuth supply chain attacks), they’ve breached over 40 organizations in 2026 alone. Confirmed victims include Canvas/Instructure (275M students), Carnival (6M passengers), ADT (5.5M customers), Charter Communications (4.9M), Kemper (13M), McGraw-Hill (13.5M), Rockstar Games (78.6M), Telus (1+ petabyte), and the European Commission. Google Threat Intelligence tracks them as three linked clusters: UNC6661, UNC6671, and UNC6240. Four members were arrested in France in June 2025. The group kept operating. The FBI says don’t pay their ransoms. At least one victim, Instructure, paid anyway.

The Numbers

Since January 2026, ShinyHunters have claimed responsibility for breaching more than 40 organizations. The total haul, by their own count: approximately 1.8 billion records across all documented breaches since the group formed in 2019 [1]. The 2026 campaign alone accounts for hundreds of millions of those records.

Some context: the entire U.S. population is 330 million. ShinyHunters have stolen enough records to cover every American, with hundreds of millions to spare. Even accounting for duplicates and inflated claims, the scale is staggering.

And this isn’t some shadowy nation-state operation with unlimited resources. It’s a group that started on Discord, got famous on RaidForums, and runs their extortion portal with the professionalism of a SaaS company. Their ransom emails include itemized lists of stolen data, Bitcoin payment instructions, 72-hour deadlines, and proof-of-theft samples hosted on Limewire [2].

Three Playbooks, One Group

Google Threat Intelligence Group tracks ShinyHunters as three linked threat clusters: UNC6661 and UNC6671 handle the initial break-ins, while UNC6240 runs the extortion side [2]. The division of labor is telling: this isn’t improvised. It’s industrialized.

Here’s how they get in:

Playbook 1: Voice Phishing + Adversary-in-the-Middle

An attacker calls an employee pretending to be IT support. “We’re rolling out new security compliance.” “Your passkey needs updating.” They direct the target to a lookalike domain (something like company-sso.com or companyinternal.com) that mirrors the real login page. A live operator relays the stolen credentials and MFA codes to the real identity provider in real time, capturing authenticated session tokens [3].

This defeats every form of MFA except hardware security keys and passkeys. Push notifications, SMS codes, authenticator apps: all useless when someone is proxying your session live.

Victims hit this way: ADT (5.5M), Panera Bread (5.1M accounts), Match Group (10M+), Harvard University, University of Pennsylvania, Figure Technology (1M), SoundCloud (30M).

Playbook 2: Salesforce Experience Cloud Exploitation

ShinyHunters discovered that hundreds of companies had misconfigured their Salesforce Experience Cloud portals: guest user profiles with API access enabled or overly permissive Organization-Wide Defaults. They weaponized a modified version of AuraInspector, an open-source Salesforce audit tool, to mass-scan for vulnerable configurations [4].

In March 2026, Salesforce issued a security advisory. By then, ShinyHunters had already hit approximately 400 companies, including Snowflake, Okta, LastPass, and Salesforce itself [4].

Victims hit this way: Canada Life (5.6M), Kemper (13M), McGraw-Hill (13.5M), TransUnion, and hundreds more. A separate ShinyHunters Salesforce campaign, the theft of Salesloft Drift OAuth tokens (tracked as UNC6395), reportedly netted around 1.5 billion records across roughly 760 organizations [9].

Playbook 3: OAuth Supply Chain Attacks

The most sophisticated approach. ShinyHunters compromise third-party integrators’ GitHub environments, stealing OAuth tokens and AWS credentials. Those tokens cascade downstream to every organization using the compromised integration [3].

The Anodot breach is the template: attackers compromised Anodot’s analytics platform, then used its access to reach Snowflake and BigQuery instances across multiple downstream customers [5].

Victims hit this way: Rockstar Games (78.6M), Vimeo (119K), Woflow (affecting DoorDash, Walmart, Uber), Vercel.

The 2026 Breach Tracker

Every confirmed ShinyHunters breach in 2026, ordered by date. This list includes only confirmed incidents. The group has claimed additional victims that haven’t been verified.

Date Victim Records/People Method Our Coverage
Jan 2026 Grubhub Undisclosed Combined extortion Full article
Jan 2026 Panera Bread 5.1M accounts Microsoft Entra SSO vishing Full article
Feb 2026 Figure Technology 1M+ Okta SSO vishing Full article
Feb 2026 Wynn Resorts 800K+ Cyber-extortion Full article
Feb 2026 Crunchyroll 6.8M Undisclosed Full article
Mar 2026 Aura 900K+ Social engineering Full article
Mar 2026 Telus / Telus Digital 1+ petabyte Undisclosed Full article
Mar 2026 European Commission Undisclosed Cloud infrastructure Full article
Mar 2026 Salesforce Experience Cloud (~400 companies) 1.5B+ records claimed Misconfiguration scan Full article
Mar 2026 Cushman & Wakefield 50GB+ Salesforce vishing Full article
Apr 2026 ADT 5.5M Okta SSO vishing Full article
Apr 2026 Rockstar Games 78.6M Anodot supply chain Full article
Apr 2026 McGraw-Hill 13.5M Salesforce misconfiguration Full article
Apr 2026 Kemper Corporation 13M Salesforce misconfiguration Full article
Apr 2026 Medtronic 9M Undisclosed Full article
Apr 2026 Carnival Corporation 6M Social engineering Full article
Apr 2026 Canada Life 5.6M Salesforce via employee Full article
Apr 2026 Charter Communications 4.9M Undisclosed N/A
Apr 2026 7-Eleven 185K Ransom demand N/A
Apr 2026 Amtrak 9.4M Salesforce N/A
Apr 2026 Hims & Hers Undisclosed Zendesk/Okta Full article
Apr 2026 Betterment 1.4M Undisclosed Full article
Apr 2026 Ameriprise Financial 47K SSNs Undisclosed Full article
May 2026 Canvas / Instructure 275M LMS data exfiltration Full article
May 2026 Infinite Campus 11M students Undisclosed Full article
May 2026 Bumble / Match Group Undisclosed Undisclosed Full article
May 2026 CarGurus 12M Vishing Full article
May 2026 Crunchbase 2M Undisclosed Full article

This table is updated as new breaches are confirmed. Last updated: May 31, 2026.

Who Are ShinyHunters?

ShinyHunters formed in 2019. The name is a Pokémon reference: shiny hunting means obsessively searching for rare color variants. They started on Discord, built a reputation on the now-seized RaidForums, and have since become one of the most prolific data theft operations in history [1].

They’re affiliated with The Com, an international cybercrime network that also includes Scattered Spider and remnants of Lapsus$. The group’s leader operates under the handle “shinycorp” and runs communications via Tutanota and OnionMail [2].

Law enforcement has taken some bites:

  • May 2022: Sébastien Raoult, a French programmer, was arrested in Morocco and extradited to the U.S.
  • January 2024: Raoult was sentenced to three years in prison and ordered to return $5 million.
  • June 2025: Matthew D. Lane, 19, of Massachusetts, pled guilty to PowerSchool extortion linked to ShinyHunters operations.
  • June 2025: Four ShinyHunters members were arrested across French regions [1].

None of it slowed them down. The arrests happened in June 2025. By January 2026, the vishing campaigns were already running. Arresting individual operators in a decentralized network is like pulling weeds: the roots are still in the ground.

The Pattern Nobody’s Fixing

Look at the breach tracker again. Notice what almost every victim has in common: Salesforce.

ShinyHunters didn’t find a zero-day in Salesforce. They didn’t need one. They found something better: misconfigured guest user permissions that gave anonymous API access to customer data, employee SSO credentials harvested over the phone, and third-party OAuth integrations with excessive access scopes [3][4].

Google’s Threat Intelligence report was blunt about it: “This activity is not the result of a security vulnerability in vendors’ products or infrastructure. Instead, it continues to highlight the effectiveness of social engineering” [2].

Translation: the software isn’t broken. The way companies deploy it is. And fixing configuration isn’t as exciting as buying new security tools, so it doesn’t happen until after the breach.

ShinyHunters also know that post-compromise cleanup is sloppy. Google observed them using a tool called ToogleBox Recall to delete Okta “Security method enrolled” notification emails from victims’ inboxes, hiding the evidence that an attacker’s device had been registered for MFA [2]. They used PowerShell to bulk-download from SharePoint and OneDrive. They pivoted from compromised accounts to send secondary phishing emails to cryptocurrency companies. None of this is novel. All of it keeps working.

The Ransom Question

The FBI’s position is clear: don’t pay ShinyHunters. Paying ransoms funds future attacks, provides no guarantee of data deletion, and emboldens further targeting [6].

Instructure paid anyway. After 275 million student records were exposed through Canvas, the company reached a settlement with ShinyHunters that included a “shred logs” clause: the attackers agreed to destroy the stolen data. Whether they actually did is unknowable. Whether the data had already been copied, shared, or sold is unknowable. Instructure paid for a promise from criminals.

Carnival hasn’t disclosed whether they paid. Neither have most other victims. The extortion model works precisely because companies face a calculation: the cost of paying ($1.5 million was ShinyHunters’ demand to Wynn Resorts [7]) vs. the cost of lawsuits, regulatory fines, and reputational damage. For many companies, paying is cheaper. And ShinyHunters know it.

What to Do Right Now

Check Have I Been Pwned

Go to haveibeenpwned.com and enter your email. Troy Hunt’s database has indexed multiple ShinyHunters breaches including Canvas and Canada Life. If you show up, you know exactly which breach exposed you.

Freeze Your Credit

If your data was in any of these breaches, freeze your credit at all three bureaus: Equifax (1-888-298-0045), Experian (1-888-397-3742), TransUnion (1-888-909-8872). Free. Takes five minutes each. A credit monitoring service tells you after the damage. A freeze prevents it.

Switch to Hardware Security Keys

ShinyHunters’ vishing attacks defeat SMS codes, authenticator apps, and push notifications. The only authentication method they can’t bypass: FIDO2 hardware keys or passkeys. A YubiKey costs $25–$55. It’s the best security investment you can make in 2026.

Audit Your Salesforce Permissions

If your organization uses Salesforce Experience Cloud: check guest user profiles for API access, review Organization-Wide Defaults, and disable any permissions that aren’t explicitly required. FINRA’s advisory has step-by-step instructions.

What Comes Next

ShinyHunters aren’t slowing down. The arrest of four members in France last June didn’t pause operations for a single month. The group has active extortion deadlines running right now: Charter Communications’ deadline was May 27 [8]. New victims appear on their leak site weekly.

The playbooks work because the defenses don’t change fast enough. Companies keep deploying Salesforce with default permissions. Employees keep answering vishing calls. Third-party integrations keep getting excessive OAuth scopes. Until those fundamentals shift, ShinyHunters (or the next group to copy their methods) will keep filling the breach tracker.

We’ll update this page as new breaches are confirmed. Bookmark it. Check back. The list will be longer next time you look.

Sources

  1. Wikipedia: “ShinyHunters” (accessed May 2026)
  2. Google Cloud Threat Intelligence: “Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft” (2026)
  3. Push Security: “How Three Techniques Are Behind ShinyHunters’ 2026 Campaigns” (2026)
  4. Salesforce Ben: “ShinyHunters Breach 400 Companies via Salesforce Experience Cloud” (2026)
  5. BleepingComputer: “Carnival Cruise Confirms Data Breach Affecting Nearly 6 Million People” (May 2026)
  6. Bitdefender: “FBI Warns Students and Staff That ShinyHunters May Come Knocking After Canvas Breach” (May 2026)
  7. The Register: “ShinyHunters Demands $1.5M Not to Leak Wynn Resorts Data” (February 2026)
  8. The Register: “ShinyHunters Adds Charter to Trophy Shelf After 4.9M Customer Records Leak” (May 2026)
  9. BleepingComputer: “ShinyHunters claims 1.5 billion Salesforce records stolen in Drift hacks” (2025)