TL;DR: ShinyHunters has been running an industrial-scale breach campaign throughout 2026, and the targets barely matter. What matters is the vendors. The European Commission lost 350 GB through a compromised AWS cloud provider. 7-Eleven lost 185,000 franchise applicants' SSNs through a misconfigured Salesforce instance. Vimeo lost 119,000 user records through Anodot, an analytics vendor that stored Snowflake authentication tokens. Zara lost 197,000 customer records through the same Anodot compromise. ShinyHunters doesn't break down front doors. It steals keys from the contractors who already have them.
Four Breaches, One Pattern
If you've been following ShinyHunters in 2026, you've seen the same movie play out over and over. The target changes. The method doesn't.
Here are four of their biggest recent hits, and the third-party vendor that actually got hacked in each case.
The European Commission: 350 GB Through AWS
On March 24, 2026, the European Commission detected an intrusion into the AWS cloud infrastructure hosting its Europa.eu sites. Three days later, ShinyHunters claimed responsibility and dropped a 90 GB sample, promising the full 350 GB dump would follow.[1]
And it was ugly. The leaked data included email server dumps, DKIM signing keys, SSO user directories, AWS configuration snapshots, and internal admin URLs. CERT-EU confirmed that 42 internal clients and at least 29 EU entities were affected.[2]
The DKIM keys are the scary part. With those, ShinyHunters can forge emails that pass authentication checks from European Commission domains: perfect for spear-phishing EU member states, diplomats, and partner organizations.[3]
Commission spokesperson Thomas Regnier said the attack "affected part of our cloud infrastructure" while claiming internal systems remained untouched. ShinyHunters said they had no intention of demanding a ransom. They'd just leak everything. They did.[1]
7-Eleven: 185,000 SSNs Through Salesforce
On April 8, 2026, someone walked into 7-Eleven's franchise application systems and started downloading. Names, addresses, Social Security numbers, driver's licenses: everything franchise applicants had submitted.[4]
The "someone" was ShinyHunters. The door was Salesforce Experience Cloud.
Here's how it worked: Salesforce Experience Cloud sites expose an API endpoint (/s/sfsites/aura) by default. When administrators don't restrict what guest users can query, attackers can pull data from the underlying CRM without logging in. ShinyHunters used an open-source tool called AuraInspector to automate scanning for these misconfigurations at scale.[5]
ShinyHunters claimed they'd stolen over 600,000 Salesforce records. They gave 7-Eleven a deadline: pay by April 21. 7-Eleven didn't pay. ShinyHunters published a 9.4 GB archive of stolen files: SSNs, driver's licenses, and all.[4]
7-Eleven is now offering 24 months of free identity theft protection through IDX. The enrollment deadline is August 1, 2026. If you've ever applied for a 7-Eleven franchise, call 1-833-788-9712.[6]
Vimeo: 119,000 Users Through Anodot
Vimeo didn't get hacked. Anodot got hacked. But Anodot had Vimeo's keys.
Anodot is an Israeli AI analytics platform that monitors cloud spending and performance. To do its job, it needs authentication tokens for its customers' data warehouses: Snowflake, BigQuery, the works. ShinyHunters compromised Anodot's infrastructure in early April 2026 and stole those tokens.[7]
Then they walked into Vimeo's Snowflake and BigQuery instances using Anodot's credentials. They pulled 119,000 user records: emails, names, video titles, and technical metadata. No video content or payment information, but enough for a "pay or leak" demand.[8]
On April 28, ShinyHunters posted: "Vimeo, Inc., your Snowflake and BigQuery instances' data was compromised thanks to Anodot.com. Pay or Leak." Vimeo didn't pay. ShinyHunters dumped 106 GB on the dark web.[9]
Vimeo has since disabled all Anodot credentials, removed the integration entirely, and brought in external security experts. The horse had already left the barn.[8]
Zara: 197,000 Customers Through the Same Anodot Hole
Same vendor, different victim. ShinyHunters used the same stolen Anodot tokens to pivot into Zara's cloud environment, pulling records belonging to 197,000 customers across multiple markets.[10]
The stolen data included email addresses, order IDs, product SKUs, support ticket content, and geographic location data. Zara's parent company Inditex confirmed the breach but said passwords and payment information weren't affected.[10]
ShinyHunters gave Zara a deadline. Zara didn't pay: $0 in ransom confirmed. On April 22, the data was published.[11]
Zara wasn't the only Anodot victim. The same compromise gave ShinyHunters access to Rockstar Games (78.6 million records), and researchers at RH-ISAC identified an active campaign targeting Snowflake customers through the Anodot integration specifically.[12]
Three Doors, Infinite Victims
Pull back and the pattern is obvious. ShinyHunters has found three vendor entry points that keep working:
- Anodot → Snowflake/BigQuery: Steal OAuth tokens from the analytics vendor, then walk into any customer's data warehouse. Victims: Vimeo, Zara, Rockstar Games, and an unknown number of others whose Anodot instances held Snowflake credentials.
- Salesforce Experience Cloud: Scan for misconfigured guest user permissions on the
/s/sfsites/auraendpoint. No authentication needed. Victims: 7-Eleven, TransUnion, Canada Life, McGraw-Hill, Kemper Corporation, and between 300 and 400 other companies identified by Push Security.[13] - SSO credential theft (Okta, Microsoft Entra): Voice-phish employees into handing over single sign-on credentials by impersonating IT support. Victims: ADT, Hims & Hers, Crunchyroll, Figure Technology, Panera Bread, and 100+ companies across the broader campaign.[14]
That's it. Three techniques. One group has been cycling through them since late 2025, hitting new companies every week, and the number of confirmed victims now stretches past a thousand across the Salesforce campaigns alone.[13]
The 2026 Scoreboard
Here's what ShinyHunters' recent victim list looks like when you map it by entry point:
| Victim | Records Exposed | Entry Point | Ransom Paid? |
|---|---|---|---|
| European Commission | 350 GB (29+ EU entities) | AWS cloud infra | No |
| Instructure (Canvas) | 275 million | Multiple vectors | Yes |
| Rockstar Games | 78.6 million | Anodot → Snowflake | No |
| Zara | 197,000 | Anodot → Snowflake | No |
| Vimeo | 119,000 | Anodot → Snowflake/BigQuery | No |
| 7-Eleven | 185,000 | Salesforce Experience Cloud | No |
| McGraw-Hill | 13.5 million | Salesforce | No |
| Medtronic | 9 million | Third-party vendor | No |
| TransUnion | Millions | Salesforce | No |
| Canada Life | 5.6 million | Salesforce | No |
| ADT | 10 million | Okta SSO (vishing) | No |
| Hims & Hers | Millions | Zendesk/Okta SSO | No |
And that's just the confirmed victims. Push Security identified 300-400 companies breached through Salesforce alone by March 2026. The IC3 issued a public service announcement about ShinyHunters in May.[15] This isn't a threat actor. It's an industry.
Why This Keeps Working
Three reasons:
Vendors accumulate keys nobody audits. Anodot held OAuth tokens for dozens of companies' Snowflake instances. When ShinyHunters compromised Anodot, they got all of those keys at once. Most companies have no idea how many third-party tools hold credentials to their core infrastructure. A typical enterprise has 40-60 SaaS integrations touching production data.[12]
Salesforce defaults are dangerous. The /s/sfsites/aura endpoint is exposed by default on Experience Cloud sites. Salesforce leaves it up to administrators to restrict guest user queries, and most don't know they need to. ShinyHunters built automation to scan for this at scale.[5]
The "pay or leak" model is self-funding. Instructure paid ShinyHunters' ransom. That money funded the next attacks. Every ransom payment proves the model works and buys more infrastructure, more scanning tools, more operator time. The companies that don't pay still lose their data, but at least they don't fund the next breach.[16]
What You Can Do
If you're a customer of any of these companies:
- 7-Eleven franchise applicants: You may be eligible for 24 months of free identity protection. Call 1-833-788-9712 before August 1, 2026.
- Vimeo users: Change your password. Enable two-factor authentication. Your email address is likely in the dump.
- Zara shoppers: Check your email for breach notifications from Inditex. No payment info was stolen, but your email and order history are out there.
- Everyone: Check Have I Been Pwned. Both the Vimeo and Zara breaches have been loaded.
If you run a business:
- Audit your Salesforce Experience Cloud configuration. Right now. Check what guest users can query through the Aura endpoint. If you're not sure, assume it's misconfigured.
- Map every vendor with OAuth tokens to your data infrastructure. Snowflake, BigQuery, Databricks, Redshift: every integration that holds stored credentials. Ask when those tokens were last rotated.
- Kill unused integrations. If you stopped using Anodot six months ago but never revoked its credentials, ShinyHunters thanks you for the open door.
- Train your staff on vishing. ShinyHunters' SSO campaign works because employees hand over Okta credentials to callers posing as IT support. A phone call is still the cheapest exploit in cybersecurity.
The Assembly Line Won't Stop
ShinyHunters has found a model that scales. Compromise one vendor, breach dozens of customers. Scan one API endpoint, find hundreds of misconfigured Salesforce sites. Phish one employee, pivot to the whole organization through SSO.
The European Commission (with all the resources of the EU) got hit through a cloud provider. 7-Eleven got hit through Salesforce. Vimeo and Zara got hit through the same analytics vendor on the same day. The FBI's IC3 is issuing advisories. And ShinyHunters posted new victims this week.
This isn't a breach. It's a production line. And it runs until companies stop giving vendors keys they never audit, to doors they forgot existed.
Sources
- HackRead: "ShinyHunters Claims 350GB Data Breach at European Commission" (March 2026)
- CyberNews: "It looks bad: inside ShinyHunters' European Commission data breach" (March 2026)
- TwelveSec: "The Silent Storm in Brussels: Decoding the ShinyHunters Breach of the European Commission" (March 30, 2026)
- Bleeping Computer: "7-Eleven data breach exposes personal information of 185,000 people" (May 2026)
- Security Affairs: "ShinyHunters hack 7-Eleven: franchisee data and Salesforce records exposed" (May 2026)
- TechCrunch: "7-Eleven data breach affects over 185,000 people's personal data" (May 26, 2026)
- Vorlon: "Anodot Breach Exposes Snowflake Customer Data, Including Rockstar Games" (April 2026)
- Security Affairs: "Vimeo confirms breach via third-party vendor impacts 119K users" (May 2026)
- The Register: "ShinyHunters claims dump puts 119K Vimeo emails in the wild" (May 5, 2026)
- Security Affairs: "Zara Data Breach: 197,000 Customers Exposed in Third-Party Security Incident" (May 2026)
- Have I Been Pwned: "Zara Data Breach" (2026)
- RH-ISAC: "Active Data Theft Campaign Targeting Snowflake Customers via Anodot Third-Party SaaS Integration Breach" (2026)
- Push Security: "How three techniques are behind ShinyHunters' 2026 campaigns" (2026)
- State of Surveillance: "ShinyHunters' SSO Campaign Hits 100+ Companies" (January 27, 2026)
- FBI IC3: "ShinyHunters: Cyber Criminal Group Attacks Learning Management System" (May 15, 2026)
- State of Surveillance: "Instructure Paid the Ransom" (May 2026)