Warning signs and security alerts on computer monitors

TL;DR: ShinyHunters (the same gang behind the Ticketmaster breach) has been on a tear since January 2026. They're voice-phishing employees at big companies, stealing Okta SSO credentials, and dumping millions of customer records when ransom negotiations fail. Confirmed victims include Harvard, UPenn, Panera Bread (5.1M accounts), Match Group (Hinge, Bumble, OkCupid), Betterment (1.4M), SoundCloud (29.8M), Crunchbase, Figure, Canada Goose, and more. If you used any of these services, your email, name, and possibly payment details are in a database somewhere. Check Have I Been Pwned right now.

Check If You're Affected (Do This First)

Go to Have I Been Pwned and enter every email address you use. The site is run by security researcher Troy Hunt and now includes several ShinyHunters breaches:[1]

  • SoundCloud: 29.8 million accounts added to HIBP
  • Panera Bread: 5.1 million email addresses confirmed
  • University of Pennsylvania: 624,000 email addresses added February 16
  • Canada Goose: 581,900 email addresses from 920,000 records

Other ShinyHunters breaches (Harvard, Betterment, Match Group, Crunchbase, Figure) may be added soon. Just because your email doesn't show up today doesn't mean it won't next week.

Confirmed ShinyHunters Victims (January-February 2026)

This is not a complete list. ShinyHunters told reporters they've breached "a lot more" organizations than they've announced.[2] These are the confirmed dumps:

SoundCloud: 29.8M accounts

What leaked: Emails, usernames, names, profile data, geographic locations.[1]

When: Breach confirmed December 2025

Status: In Have I Been Pwned

Panera Bread: 5.1M accounts

What leaked: Names, emails, phone numbers, payment card data (partial), rewards info, order history.[3]

When: Announced January 2026

Status: In Have I Been Pwned

Match Group: 10M+ records

What leaked: Dating profiles from Hinge, Bumble, OkCupid, Match.com. Names, emails, preferences, messages.[4]

When: Announced January 29, 2026

Status: Ransom negotiations ongoing

Betterment: 1.4M customers

What leaked: Names, emails, account info for the robo-advisor's investment customers.[5]

When: Data dumped January 23, 2026

Status: Company confirmed breach

Harvard University: 115K records

What leaked: Alumni donor data, development records, names, contact info.[6]

When: Announced February 4, 2026

Status: Data published

University of Pennsylvania: 624K records

What leaked: Donor and alumni data, email addresses, personal info.[7]

When: Announced February 2026

Status: In Have I Been Pwned

Canada Goose: 582K emails

What leaked: Customer emails, partial payment data, order history, addresses.[8]

When: Announced February 2026

Status: In Have I Been Pwned (company says data is old)

Crunchbase: 2M+ records

What leaked: Employee records, signed contracts, internal corporate documents.[9]

When: Data published January 26, 2026

Status: Company confirmed breach

Figure Technologies: 2.5GB

What leaked: Customer PII from the blockchain lending fintech.[10]

When: Announced February 13, 2026

Status: Company confirmed breach

Mercer Advisors: 5M claimed

What leaked: Wealth management client data.[11]

When: February 2026

Status: Under investigation

Other targeted organizations include Atlassian, Canva, Epic Games, HubSpot, ZoomInfo, RingCentral, and more. Silent Push identified over 100 companies on ShinyHunters' target list.[12]

How ShinyHunters Pulls This Off

Same playbook every time:[12]

  1. Phone call from "IT support": Someone calls an employee and says there's suspicious activity on their account. Sounds official. Caller ID is spoofed to show the company's real IT helpdesk number.
  2. Fake Okta login page: The employee gets sent to what looks like their company's Okta portal. It's actually a real-time phishing proxy that captures credentials as they're typed.
  3. MFA bypass: When Okta sends a push notification, the attacker tells the victim: "You'll see a number, approve it." Victim does. Authentication complete.
  4. Every app, all data: With SSO access, the attacker can reach Salesforce, Slack, email, file storage, customer databases: everything connected to that login.
  5. Ransom or dump: ShinyHunters contacts the company: pay up or we publish. Most refuse. Data gets dumped.

Google's Mandiant team confirmed the campaign is "active and ongoing."[12]

What to Do If You're Affected

1. Change Your Passwords Now

Start with any accounts that use the same email and password combo. The leaked data will be used for credential stuffing attacks within days.

2. Enable 2FA Everywhere

Use an authenticator app (Google Authenticator, Authy) or better yet, a hardware security key. SMS codes are better than nothing but can be SIM-swapped.

3. Watch for Targeted Phishing

Attackers know where you shop, bank, and date. Expect convincing emails that reference your actual accounts. Verify everything by going directly to websites. Never click links in emails.

4. Check Bank and Credit Card Statements

Panera and Canada Goose breaches included partial payment data. Look for small test charges. Attackers often run $1 transactions before larger fraud.

5. Freeze Your Credit

If your SSN wasn't exposed, this is optional. But if you're in multiple breaches, a credit freeze at Equifax, Experian, and TransUnion prevents new accounts being opened in your name.

6. Consider a Password Manager

Bitwarden (free), 1Password, or Dashlane. Unique password for every site. You remember one master password. The manager handles the rest.

Keep Checking

ShinyHunters is still active. New dumps appear weekly. Here's how to stay ahead:

  • Sign up for Have I Been Pwned notifications: Enter your email at haveibeenpwned.com/NotifyMe. Free alerts when your email shows up in new breaches.
  • Check monthly: New breaches get added constantly. Make it a habit to check HIBP on the first of each month.
  • Use unique emails for sensitive accounts: Services like SimpleLogin or Firefox Relay let you create email aliases. When one gets breached, you know exactly which service leaked it.

If Your Company Uses Okta (Or Any SSO)

ShinyHunters isn't done. Your organization could be next. Critical steps:[12]

  • Deploy FIDO2 security keys or passkeys immediately. These cryptographically verify the server: a fake Okta page won't trigger authentication. YubiKeys cost $25-50 each.
  • Kill push-based MFA as a standalone option. Number matching doesn't help when the attacker is literally telling the victim which number to approve.
  • Train employees: If "IT" calls you, hang up. Call back on the number from your company directory. Real IT will never ask you to approve a login over the phone.
  • Monitor device enrollments: ShinyHunters enrolls their own devices into victim MFA. Flag any new device that doesn't match your provisioning process.
  • Restrict SSO logins by network: Block authentication from VPNs, Tor nodes, and anonymizing proxies in your identity provider's policies.

ShinyHunters 2026 Timeline

  • December 2025: SoundCloud breach confirmed (28-30M users)
  • January 9, 2026: Betterment breach occurs
  • January 23, 2026: Betterment data dumped after ransom refused
  • January 26, 2026: Silent Push reports 100+ companies targeted; Crunchbase confirms breach
  • January 27, 2026: Panera Bread breach announced (5.1M accounts)
  • January 29, 2026: Match Group breach claimed (10M+ records)
  • February 4, 2026: Harvard and UPenn data published
  • February 13, 2026: Figure Technologies confirms breach
  • February 16, 2026: Canada Goose data appears (582K emails)
  • February 20, 2026: ShinyHunters demands $1.5M from Wynn Resorts (800K employee records)
  • February 21, 2026: CarGurus data dumped (12.5M records)
  • February 2026: Mercer Advisors breach claimed
  • March 11, 2026: TELUS Digital breach confirmed (1 petabyte via supply chain credentials)

The Bottom Line

ShinyHunters found the exploit that scales: call employees, steal SSO credentials, harvest everything. They've hit at least 15 companies since January with over 50 million records confirmed leaked. More are coming.

If you used SoundCloud, Panera, a dating app, Betterment, donated to Harvard or Penn, bought from Canada Goose, or work with Crunchbase or Figure, assume your data is out there. Check Have I Been Pwned. Change your passwords. Turn on 2FA. Watch for phishing.

And if your employer uses Okta, Microsoft, or Google SSO without hardware security keys, ask why. Because ShinyHunters is still calling.

References

  1. BleepingComputer - Have I Been Pwned: SoundCloud Data Breach Impacts 29.8 Million Accounts (February 2026)
  2. BleepingComputer - ShinyHunters Claim to Be Behind SSO Account Data Theft Attacks (January 2026)
  3. BleepingComputer - Panera Bread Breach Impacts 5.1 Million Accounts (January 2026)
  4. The Register - ShinyHunters Claims It Stole 10M Records from Dating Apps (January 29, 2026)
  5. American Banker - Betterment Data Breach Exposes 1.4 Million Customers (January 2026)
  6. InfoStealers - A Technical Post-Mortem of the Feb 2026 Harvard University ShinyHunters Data Breach
  7. TechNadu - University of Pennsylvania Data Breach Exposes 624K Individuals (February 2026)
  8. The Register - Canada Goose Says ShinyHunters Only Breached Old Data (February 16, 2026)
  9. TechStartups - Crunchbase Confirms January 2026 Data Breach After ShinyHunters Leak
  10. ClaimDepot - Figure Technology Solutions: 2.5GB Data Breach Exposes PII (February 2026)
  11. Cybernews - ShinyHunters Claims Attack on Top US Investment Advisors (February 2026)
  12. The Register - Canva Among ~100 ShinyHunters Credential-Theft Targets (January 26, 2026)