Cascading green digital characters and code on a dark background, evoking a data breach

TL;DR:

  • The group: ShinyHunters, active since 2020, spent 2026 running the most prolific data-extortion campaign of the year, and almost never touched its actual targets
  • The method: Compromise something the target trusts. A third-party analytics vendor. A Salesforce login. A support ticket system. Steal everything, demand payment, dump the data when talks fail
  • Vimeo: 119,000 user emails exposed through Anodot, an analytics vendor. 106GB dumped after ransom talks collapsed [1][2]
  • Canvas/Instructure: 275 million users, ~9,000 institutions, 3.65TB exfiltrated through a support-ticket flaw. Instructure paid an undisclosed ransom [3][4]
  • Cushman & Wakefield: 310,431 accounts exposed after a single voice-phishing call gave up Salesforce access. 50GB dumped [5][6]
  • Medtronic: ShinyHunters claimed 9 million records. Medtronic confirmed an intrusion, filed an SEC 8-K, then the listing quietly vanished [7][8]
  • Why it matters: Your security is now decided by vendors you forgot you connected to. ShinyHunters figured that out before your security team did

The Pattern, Not the Targets

Look at the 2026 victim list and you'll be tempted to find a theme. A learning platform used by 275 million students. A video host. A $107 billion medical device maker. One of the world's largest commercial real estate firms. There's no industry thread. A school system and an insulin-pump manufacturer have nothing in common.

That's the point. ShinyHunters isn't picking targets by sector. It's picking them by exposure. The question the group asks isn't "who do we want to hurt?" It's "who has a soft connection we can ride in through?"

This is a campaign report, not a single incident. We've covered each of these breaches individually as they broke. What we hadn't done is lay the playbook out flat: the three repeatable techniques behind a year of headlines, so you can recognize the next one before it has a name.

Here's the uncomfortable summary: in 2026, ShinyHunters mostly stopped hacking companies. It started hacking the things companies plug into.

Door One: The Analytics Vendor (Vimeo, via Anodot)

Vimeo didn't get phished. No employee clicked a bad link. No fake login page caught anyone. ShinyHunters broke into Anodot (a data anomaly-detection company Vimeo used for analytics) and stole the authentication tokens that connected Anodot to Vimeo's cloud data warehouses. [1][2]

Those tokens unlocked Vimeo's Snowflake and Google BigQuery instances. No Vimeo password required. No Vimeo network access required. The attackers used a vendor integration the way it was designed to work, to query and export data, except they weren't supposed to be the ones holding the keys. Anodot's own status page traces the incident back to April 4, 2026. [1]

Vimeo disclosed the breach on April 27. The exposed data: email addresses, names in some cases, video titles, and platform metadata. No video content, login credentials, or payment data, according to Vimeo. Have I Been Pwned indexed 119,200 unique email addresses. When Vimeo refused to pay, ShinyHunters dumped a 106GB archive on its leak site, complaining that "the company failed to reach an agreement with us despite our incredible patience." [1][2]

Vimeo wasn't the only one. The same Anodot compromise reached Rockstar Games and Zara's parent company Inditex. One vendor breach, multiple corporate victims, none of whom did anything wrong in the conventional sense. They used a legitimate analytics tool with standard cloud integrations. That was the vulnerability. It is the defining shape of 2026's supply chain attacks. Full breakdown in our dedicated Vimeo report. [9]

Door Two: The Salesforce Login (Cushman & Wakefield, and ~30 Others)

The second technique needs a human, briefly. ShinyHunters runs a voice-phishing ("vishing") operation: call an employee, sound legitimate enough, talk them into authorizing a malicious Salesforce connected app or handing over access. One call. That's the entire intrusion.

Cushman & Wakefield, the commercial real estate giant, got that call. ShinyHunters claimed it pulled more than 500,000 Salesforce records. It posted a "FINAL WARNING PAY OR LEAK" notice on May 1 with a May 6 deadline. The company didn't pay. ShinyHunters published a 50GB dataset, mostly business contacts: names, job titles, addresses, phone numbers, external email addresses. Have I Been Pwned confirmed 310,431 exposed accounts on May 12. [5][6]

Then it got worse. The Qilin ransomware group listed Cushman & Wakefield on its own leak site on May 4, suggesting either a second intrusion or that ShinyHunters sold the initial access on a dark web market. When two gangs claim you in the same week, you've stopped being a victim and started being inventory. The dual-claim mess is detailed in our Cushman & Wakefield coverage, and the 50GB dump itself here. [10]

This wasn't a one-off. The Salesforce vishing campaign hit dozens of companies through stolen OAuth tokens and SSO accounts across Okta, Microsoft Entra, and Google. We tracked the scale of it in the 100-company Okta SSO campaign and the Salesforce Aura operation that touched 400+ organizations. The phone call scales better than any exploit.

Door Three: The Support System (Canvas/Instructure)

The biggest haul of the year came through the most boring door imaginable: a support ticket system.

ShinyHunters exploited a flaw in Instructure's "Free-for-Teacher" environment (specifically something tied to support tickets) and exfiltrated 3.65TB of data covering roughly 275 million users across nearly 9,000 institutions. Canvas is used by 41% of higher education institutions in North America. Harvard. Penn. Duke. Wisconsin. Public school districts. Community colleges. The stolen data: usernames, email addresses, course names, enrollment information, and billions of private messages between students and teachers. Not passwords or course content, but more than enough to run terrifyingly convincing phishing against students and parents who'd never expect their school to be the lure. [3][4]

The timeline reads like a hostage negotiation, because it was one. First breach claimed May 3, deadline May 6. Instructure declared it "resolved", then ShinyHunters re-broke in on May 7, defaced login portals at roughly 330 institutions during finals week, and reset the clock to May 12. [11]

On May 11, one day before the new deadline, Instructure paid. The company, owned by private equity firm KKR, said it reached an agreement and received "shred logs" as proof of data destruction. It will not say how much it paid. Unconfirmed reports floated a figure around $10 million; Instructure has never confirmed any amount, and neither Inside Higher Ed nor The Hacker News could pin it down. Treat the number as a rumor, not a fact. [3][4]

What Instructure actually bought: a text file from criminals saying they deleted the data, plus a promise that customers won't be "separately extorted." The full scope is in our original 275 million record report.

The Quiet One: Medtronic

Medtronic doesn't fit neatly into one door, which is part of why it's worth flagging. ShinyHunters added the medical device maker to its Tor leak site on April 17 and 18, claiming more than 9 million records with names, Social Security numbers, dates of birth, medical information, and government IDs. Important caveat: that 9 million figure is the attacker's claim. Medtronic has not verified it. [7][8]

Medtronic confirmed an intrusion on April 24 and filed a Form 8-K with the SEC the same day, saying an unauthorized party accessed data in certain corporate IT systems. The company stressed its networks are segmented and that no medical devices, patient safety, or manufacturing systems were affected. Then the listing disappeared from the ShinyHunters site, and no data was ever published. [7][8]

No ransom payment has been confirmed. But in past ShinyHunters incidents, a victim vanishing from the leak site after a deadline (with no data dump) has lined up with quiet negotiations. Make of that what you will. The detail is in our Medtronic report.

The Common Thread: You Don't Control Your Own Attack Surface

Strip away the company names and the three doors are the same door. ShinyHunters keeps exploiting one structural fact about how modern software works: every company hands deep data access to dozens of third parties (analytics vendors, CRM platforms, support tools, identity providers) and almost nobody audits what those connections can actually reach.

None of these techniques are exotic. Stolen OAuth tokens. A phone call. A flawed support ticket flow. Security teams have warned about every one of them for years. They keep working because:

  • Vendor integrations are invisible. Vimeo had no way to see Anodot's security posture until Anodot was already compromised. You can't monitor a breach inside someone else's company.
  • Vishing beats exploits. Tricking an employee into authorizing a connected app is cheaper, faster, and more reliable than finding a zero-day. It scales to hundreds of targets.
  • Support and "free" tiers get less scrutiny. Instructure's Free-for-Teacher environment wasn't watched the way its paid infrastructure was. Attackers go where the monitoring isn't.
  • Access gets resold. The Cushman & Wakefield double-claim shows the model maturing. One group breaks in; another buys the keys. Your data has a secondary market.

Your security posture is only as strong as the weakest vendor you've ever connected and forgotten about. ShinyHunters understands this better than most of the companies it robs.

What Organizations Should Actually Do

"Audit your third parties" is the advice everyone gives and nobody operationalizes. Specifics:

  • Inventory every active integration. Every OAuth grant, API key, connected app, and SaaS-to-SaaS token. Most companies cannot produce this list. That gap is the attack surface. Revoke anything nobody can explain.
  • Scope vendor access to the minimum. An analytics tool does not need read access to your entire data warehouse. The Anodot tokens worked because they could query everything. Least privilege isn't a slogan here. It's the difference between a vendor breach and your breach.
  • Treat the help desk as a target. ShinyHunters' vishing works because support and IT staff are trained to be helpful, not suspicious. Add out-of-band verification for any request that grants access or authorizes an app. No exceptions for "urgent."
  • Monitor your "unimportant" environments. The Canvas breach started in a free tier. Free, internal, and legacy systems get the least logging and the most attackers.
  • Decide your ransom position now. Decide it cold, in writing, before an extortion clock is running, not at 2 a.m. with a deadline. Every cybersecurity agency on earth says don't pay. A "shred log" from criminals proves nothing.

What Individuals Should Do

You didn't pick these vendors. Your school, your employer, and the apps you use did, and your data leaked anyway. What you can control:

  • Check Have I Been Pwned. Go to haveibeenpwned.com and search your email. The Vimeo and Cushman & Wakefield breaches are already indexed. Canvas data may surface as litigation proceeds.
  • Assume targeted phishing, not just spam. The Canvas data tells attackers your school, your courses, your teachers' names. Any message referencing specifics you'd assume only an insider knows should be verified through official channels, never through a link in the message.
  • Rotate passwords on affected accounts. Even when credentials weren't in the dump, treat any breach as a reason to rotate and enable two-factor authentication. The next breach might include the password.
  • Freeze your credit if SSNs were exposed. If you're a Medtronic patient, the claimed data includes Social Security numbers. A credit freeze is free, reversible, and the single most effective protection against identity theft. File at IdentityTheft.gov if you see fraud.

The Bottom Line

ShinyHunters isn't the most technically gifted group in the world. It doesn't need to be. It found a business model that works: don't attack the fortress, attack the supplier with a key to the side entrance. Steal everything. Set a clock. Dump the data if nobody pays, and use the payments from the ones who do to fund the next round.

We've written about that funding loop separately, in the economics of why every paid ransom buys the next attack. This piece is the other half: the technical playbook those payments keep alive. The two questions every organization should be asking after 2026: which vendors can reach our data, and would we even notice if one of them got robbed? For most companies, the honest answers are "we're not sure" and "no." Until those change, the doors stay open.

Sources

  1. The Register: ShinyHunters Dump Puts 119K Vimeo Emails in the Wild (May 5, 2026)
  2. BleepingComputer: Vimeo Data Breach Exposes Personal Information of 119,000 People (May 2026)
  3. Inside Higher Ed: Instructure Pays Ransom to Canvas Hackers (May 11, 2026)
  4. The Hacker News: Instructure Reaches Ransom Agreement with ShinyHunters to Stop 3.65TB Canvas Leak (May 2026)
  5. The Register: Cushman & Wakefield Confirms Vishing Cyberattack (May 5, 2026)
  6. Cybernews: ShinyHunters Posts 50GB Cushman & Wakefield Dataset After Ransom Talks Fail (May 2026)
  7. HIPAA Journal: Medical Device Maker Medtronic Announces Data Breach (April 2026)
  8. The Register: Medical and Utility Tech Companies Admit Digital Break-ins (April 27, 2026)
  9. Security Affairs: Vimeo Confirms Breach via Third-Party Vendor Impacts 119K Users (May 2026)
  10. Cybernews: Two Ransomware Gangs Now Claim Cushman & Wakefield After Salesforce Breach Claim (May 2026)
  11. EdScoop: ShinyHunters Claims Nearly 9,000 Schools Affected by Canvas Data Breach (May 2026)