TL;DR: ShinyHunters (a cybercrime group active since 2019) have executed the most devastating data theft campaign in history across 2025–2026. Using three attack playbooks (voice phishing for SSO credentials, Salesforce Experience Cloud misconfigurations, and OAuth supply chain attacks), they’ve breached over 40 organizations in 2026 alone. Confirmed victims include Canvas/Instructure (275M students), Carnival (6M passengers), ADT (5.5M customers), Charter Communications (4.9M), Kemper (13M), McGraw-Hill (13.5M), Rockstar Games (78.6M), Telus (1+ petabyte), and the European Commission. Google Threat Intelligence tracks them as three linked clusters: UNC6661, UNC6671, and UNC6240. Four members were arrested in France in June 2025. The group kept operating. The FBI says don’t pay their ransoms. At least one victim, Instructure, paid anyway.
The Numbers
Since January 2026, ShinyHunters have claimed responsibility for breaching more than 40 organizations. The total haul, by their own count: approximately 1.8 billion records across all documented breaches since the group formed in 2019 [1]. The 2026 campaign alone accounts for hundreds of millions of those records.
Some context: the entire U.S. population is 330 million. ShinyHunters have stolen enough records to cover every American, with hundreds of millions to spare. Even accounting for duplicates and inflated claims, the scale is staggering.
And this isn’t some shadowy nation-state operation with unlimited resources. It’s a group that started on Discord, got famous on RaidForums, and runs their extortion portal with the professionalism of a SaaS company. Their ransom emails include itemized lists of stolen data, Bitcoin payment instructions, 72-hour deadlines, and proof-of-theft samples hosted on Limewire [2].
Three Playbooks, One Group
Google Threat Intelligence Group tracks ShinyHunters as three linked threat clusters: UNC6661 and UNC6671 handle the initial break-ins, while UNC6240 runs the extortion side [2]. The division of labor is telling: this isn’t improvised. It’s industrialized.
Here’s how they get in:
Playbook 1: Voice Phishing + Adversary-in-the-Middle
An attacker calls an employee pretending to be IT support. “We’re rolling out new security compliance.” “Your passkey needs updating.” They direct the target to a lookalike domain (something like company-sso.com or companyinternal.com) that mirrors the real login page. A live operator relays the stolen credentials and MFA codes to the real identity provider in real time, capturing authenticated session tokens [3].
This defeats every form of MFA except hardware security keys and passkeys. Push notifications, SMS codes, authenticator apps: all useless when someone is proxying your session live.
Victims hit this way: ADT (5.5M), Panera Bread (5.1M accounts), Match Group (10M+), Harvard University, University of Pennsylvania, Figure Technology (1M), SoundCloud (30M).
Playbook 2: Salesforce Experience Cloud Exploitation
ShinyHunters discovered that hundreds of companies had misconfigured their Salesforce Experience Cloud portals: guest user profiles with API access enabled or overly permissive Organization-Wide Defaults. They weaponized a modified version of AuraInspector, an open-source Salesforce audit tool, to mass-scan for vulnerable configurations [4].
In March 2026, Salesforce issued a security advisory. By then, ShinyHunters had already hit approximately 400 companies, including Snowflake, Okta, LastPass, and Salesforce itself [4].
Victims hit this way: Canada Life (5.6M), Kemper (13M), McGraw-Hill (13.5M), TransUnion, and hundreds more. A separate ShinyHunters Salesforce campaign, the theft of Salesloft Drift OAuth tokens (tracked as UNC6395), reportedly netted around 1.5 billion records across roughly 760 organizations [9].
Playbook 3: OAuth Supply Chain Attacks
The most sophisticated approach. ShinyHunters compromise third-party integrators’ GitHub environments, stealing OAuth tokens and AWS credentials. Those tokens cascade downstream to every organization using the compromised integration [3].
The Anodot breach is the template: attackers compromised Anodot’s analytics platform, then used its access to reach Snowflake and BigQuery instances across multiple downstream customers [5].
Victims hit this way: Rockstar Games (78.6M), Vimeo (119K), Woflow (affecting DoorDash, Walmart, Uber), Vercel.
The 2026 Breach Tracker
Every confirmed ShinyHunters breach in 2026, ordered by date. This list includes only confirmed incidents. The group has claimed additional victims that haven’t been verified.
| Date | Victim | Records/People | Method | Our Coverage |
|---|---|---|---|---|
| Jan 2026 | Grubhub | Undisclosed | Combined extortion | Full article |
| Jan 2026 | Panera Bread | 5.1M accounts | Microsoft Entra SSO vishing | Full article |
| Feb 2026 | Figure Technology | 1M+ | Okta SSO vishing | Full article |
| Feb 2026 | Wynn Resorts | 800K+ | Cyber-extortion | Full article |
| Feb 2026 | Crunchyroll | 6.8M | Undisclosed | Full article |
| Mar 2026 | Aura | 900K+ | Social engineering | Full article |
| Mar 2026 | Telus / Telus Digital | 1+ petabyte | Undisclosed | Full article |
| Mar 2026 | European Commission | Undisclosed | Cloud infrastructure | Full article |
| Mar 2026 | Salesforce Experience Cloud (~400 companies) | 1.5B+ records claimed | Misconfiguration scan | Full article |
| Mar 2026 | Cushman & Wakefield | 50GB+ | Salesforce vishing | Full article |
| Apr 2026 | ADT | 5.5M | Okta SSO vishing | Full article |
| Apr 2026 | Rockstar Games | 78.6M | Anodot supply chain | Full article |
| Apr 2026 | McGraw-Hill | 13.5M | Salesforce misconfiguration | Full article |
| Apr 2026 | Kemper Corporation | 13M | Salesforce misconfiguration | Full article |
| Apr 2026 | Medtronic | 9M | Undisclosed | Full article |
| Apr 2026 | Carnival Corporation | 6M | Social engineering | Full article |
| Apr 2026 | Canada Life | 5.6M | Salesforce via employee | Full article |
| Apr 2026 | Charter Communications | 4.9M | Undisclosed | N/A |
| Apr 2026 | 7-Eleven | 185K | Ransom demand | N/A |
| Apr 2026 | Amtrak | 9.4M | Salesforce | N/A |
| Apr 2026 | Hims & Hers | Undisclosed | Zendesk/Okta | Full article |
| Apr 2026 | Betterment | 1.4M | Undisclosed | Full article |
| Apr 2026 | Ameriprise Financial | 47K SSNs | Undisclosed | Full article |
| May 2026 | Canvas / Instructure | 275M | LMS data exfiltration | Full article |
| May 2026 | Infinite Campus | 11M students | Undisclosed | Full article |
| May 2026 | Bumble / Match Group | Undisclosed | Undisclosed | Full article |
| May 2026 | CarGurus | 12M | Vishing | Full article |
| May 2026 | Crunchbase | 2M | Undisclosed | Full article |
This table is updated as new breaches are confirmed. Last updated: May 31, 2026.
Who Are ShinyHunters?
ShinyHunters formed in 2019. The name is a Pokémon reference: shiny hunting means obsessively searching for rare color variants. They started on Discord, built a reputation on the now-seized RaidForums, and have since become one of the most prolific data theft operations in history [1].
They’re affiliated with The Com, an international cybercrime network that also includes Scattered Spider and remnants of Lapsus$. The group’s leader operates under the handle “shinycorp” and runs communications via Tutanota and OnionMail [2].
Law enforcement has taken some bites:
- May 2022: Sébastien Raoult, a French programmer, was arrested in Morocco and extradited to the U.S.
- January 2024: Raoult was sentenced to three years in prison and ordered to return $5 million.
- June 2025: Matthew D. Lane, 19, of Massachusetts, pled guilty to PowerSchool extortion linked to ShinyHunters operations.
- June 2025: Four ShinyHunters members were arrested across French regions [1].
None of it slowed them down. The arrests happened in June 2025. By January 2026, the vishing campaigns were already running. Arresting individual operators in a decentralized network is like pulling weeds: the roots are still in the ground.
The Pattern Nobody’s Fixing
Look at the breach tracker again. Notice what almost every victim has in common: Salesforce.
ShinyHunters didn’t find a zero-day in Salesforce. They didn’t need one. They found something better: misconfigured guest user permissions that gave anonymous API access to customer data, employee SSO credentials harvested over the phone, and third-party OAuth integrations with excessive access scopes [3][4].
Google’s Threat Intelligence report was blunt about it: “This activity is not the result of a security vulnerability in vendors’ products or infrastructure. Instead, it continues to highlight the effectiveness of social engineering” [2].
Translation: the software isn’t broken. The way companies deploy it is. And fixing configuration isn’t as exciting as buying new security tools, so it doesn’t happen until after the breach.
ShinyHunters also know that post-compromise cleanup is sloppy. Google observed them using a tool called ToogleBox Recall to delete Okta “Security method enrolled” notification emails from victims’ inboxes, hiding the evidence that an attacker’s device had been registered for MFA [2]. They used PowerShell to bulk-download from SharePoint and OneDrive. They pivoted from compromised accounts to send secondary phishing emails to cryptocurrency companies. None of this is novel. All of it keeps working.
The Ransom Question
The FBI’s position is clear: don’t pay ShinyHunters. Paying ransoms funds future attacks, provides no guarantee of data deletion, and emboldens further targeting [6].
Instructure paid anyway. After 275 million student records were exposed through Canvas, the company reached a settlement with ShinyHunters that included a “shred logs” clause: the attackers agreed to destroy the stolen data. Whether they actually did is unknowable. Whether the data had already been copied, shared, or sold is unknowable. Instructure paid for a promise from criminals.
Carnival hasn’t disclosed whether they paid. Neither have most other victims. The extortion model works precisely because companies face a calculation: the cost of paying ($1.5 million was ShinyHunters’ demand to Wynn Resorts [7]) vs. the cost of lawsuits, regulatory fines, and reputational damage. For many companies, paying is cheaper. And ShinyHunters know it.
What to Do Right Now
Check Have I Been Pwned
Go to haveibeenpwned.com and enter your email. Troy Hunt’s database has indexed multiple ShinyHunters breaches including Canvas and Canada Life. If you show up, you know exactly which breach exposed you.
Freeze Your Credit
If your data was in any of these breaches, freeze your credit at all three bureaus: Equifax (1-888-298-0045), Experian (1-888-397-3742), TransUnion (1-888-909-8872). Free. Takes five minutes each. A credit monitoring service tells you after the damage. A freeze prevents it.
Switch to Hardware Security Keys
ShinyHunters’ vishing attacks defeat SMS codes, authenticator apps, and push notifications. The only authentication method they can’t bypass: FIDO2 hardware keys or passkeys. A YubiKey costs $25–$55. It’s the best security investment you can make in 2026.
Audit Your Salesforce Permissions
If your organization uses Salesforce Experience Cloud: check guest user profiles for API access, review Organization-Wide Defaults, and disable any permissions that aren’t explicitly required. FINRA’s advisory has step-by-step instructions.
What Comes Next
ShinyHunters aren’t slowing down. The arrest of four members in France last June didn’t pause operations for a single month. The group has active extortion deadlines running right now: Charter Communications’ deadline was May 27 [8]. New victims appear on their leak site weekly.
The playbooks work because the defenses don’t change fast enough. Companies keep deploying Salesforce with default permissions. Employees keep answering vishing calls. Third-party integrations keep getting excessive OAuth scopes. Until those fundamentals shift, ShinyHunters (or the next group to copy their methods) will keep filling the breach tracker.
We’ll update this page as new breaches are confirmed. Bookmark it. Check back. The list will be longer next time you look.
Sources
- Wikipedia: “ShinyHunters” (accessed May 2026)
- Google Cloud Threat Intelligence: “Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft” (2026)
- Push Security: “How Three Techniques Are Behind ShinyHunters’ 2026 Campaigns” (2026)
- Salesforce Ben: “ShinyHunters Breach 400 Companies via Salesforce Experience Cloud” (2026)
- BleepingComputer: “Carnival Cruise Confirms Data Breach Affecting Nearly 6 Million People” (May 2026)
- Bitdefender: “FBI Warns Students and Staff That ShinyHunters May Come Knocking After Canvas Breach” (May 2026)
- The Register: “ShinyHunters Demands $1.5M Not to Leak Wynn Resorts Data” (February 2026)
- The Register: “ShinyHunters Adds Charter to Trophy Shelf After 4.9M Customer Records Leak” (May 2026)
- BleepingComputer: “ShinyHunters claims 1.5 billion Salesforce records stolen in Drift hacks” (2025)