< ciso
brief />
Tag Banner

All news with #shinyhunters tag

76 articles · page 3 of 4

Data Breach at Fintech Figure Exposes Nearly 1 Million

🔒 Figure Technology Solutions confirmed a social engineering breach that exposed personal and contact data for 967,200 accounts. Notification service Have I Been Pwned reported files posted in February 2026 containing unique emails, names, phone numbers, physical addresses and dates of birth dating back to January 2026. The extortion group ShinyHunters claimed responsibility and posted roughly 2.5 GB of alleged loan applicant data.
read more →

Canada Goose Investigates After 600K Customer Records Leak

🔍 Canada Goose is investigating after data extortion group ShinyHunters published an archive claiming more than 600,000 customer records tied to past transactions. The 1.67 GB JSON dataset reportedly contains names, emails, phone numbers, billing and shipping addresses, IPs, order histories, and partial payment card data (brands, BINs, last four digits). Canada Goose says it has found no evidence of a breach of its own systems and that no unmasked financial data appears present, while it reviews the dataset to verify accuracy and scope.
read more →

Scattered Lapsus Shiny Hunters: Extortion Tactics Exposed

🔒 A prolific English-language extortion gang calling itself Scattered Lapsus Shiny Hunters (SLSH) combines data theft with coordinated harassment — swatting, DDoS, and call- and email-flooding — to pressure victims into paying. Allison Nixon of Unit 221B and forensic analysis from Mandiant trace recent incidents to early–mid January 2026, when attackers used phone-based phishing to harvest SSO and MFA codes. Nixon warns SLSH is fractious and untrustworthy, and advises organizations that negotiating beyond a firm refusal generally escalates harm and provides attackers information useful for later fraud.
read more →

Panera Bread breach affects 5.1M accounts, not 14M customers

🔒 Have I Been Pwned reports that a January 2026 data breach at Panera Bread exposed roughly 5.1 million unique email addresses and associated contact information, rather than 14 million distinct customers as initially claimed. The files, totaling about 760 MB, were published by the ShinyHunters extortion group after an alleged failed ransom attempt. ShinyHunters says it gained access via a Microsoft Entra SSO code as part of a broader vishing campaign targeting SSO providers. Panera has confirmed the incident to authorities and said the data is contact information.
read more →

Mandiant: ShinyHunters Exploit SSO and Vishing Campaigns

🔒 Mandiant reports a recent wave of ShinyHunters attacks that combine targeted vishing and company‑branded phishing sites to capture SSO credentials and MFA codes. Attackers impersonate IT or helpdesk staff, guide victims through MFA approval or one‑time passcodes in real time, and enroll attacker-controlled MFA devices. With access to Okta, Microsoft Entra, or Google SSO dashboards they pivot into SaaS platforms (Salesforce, Microsoft 365, SharePoint, DocuSign, Slack, Atlassian, Dropbox, Google Drive) to steal and extort cloud data.
read more →

Mandiant: Vishing Campaign Steals MFA to Breach SaaS

📞 Google-owned Mandiant reported an expansion of ShinyHunters-style extortion activity that combines advanced voice phishing with fake credential-harvesting sites to capture SSO credentials and MFA codes to access cloud SaaS environments. The team is tracking multiple clusters (UNC6661, UNC6671, UNC6240) and observed attackers impersonating IT staff, registering attacker-controlled MFA devices, and exfiltrating data from services such as SharePoint and OneDrive. Mandiant recommends strengthening help-desk verification, improving logging and detection, restricting weak authentication methods, and adopting phishing-resistant options like FIDO2 or passkeys.
read more →

Defending Against ShinyHunters Branded SaaS Extortion

🔐 Mandiant is tracking a notable expansion of ShinyHunters-branded extortion campaigns that use evolved vishing and victim-branded credential harvesting to compromise SSO credentials and enroll unauthorized devices into corporate MFA. These intrusions exploit social engineering — not product vulnerabilities — to pivot into cloud SaaS environments and perform bulk exports and administrative abuse. The post provides prioritized containment, hardening, logging, and detection guidance, and urges adoption of phishing-resistant MFA such as FIDO2 security keys and passkeys.
read more →

ShinyHunters Expansion Targets SaaS Identity and Data

🔎 Mandiant and Google GTIG observed an expansion of ShinyHunters-style campaigns using sophisticated vishing and victim-branded credential harvesting sites to steal SSO credentials and MFA codes. Compromised accounts were used to access a broadening set of cloud SaaS applications to locate confidential documents and PII for extortion. Activity attributed to clusters UNC6661, UNC6671, and UNC6240 includes harassment, DDoS, and Limewire-hosted proof samples. Organizations should adopt phishing-resistant MFA such as FIDO2 or passkeys and follow published hardening and detection guidance.
read more →

ShinyHunters Launch Vishing Campaign Targeting 100s

📞 Notorious extortion group ShinyHunters released tens of gigabytes of files it claims were stolen from dating services including Hinge, Match, OkCupid and Bumble. Researchers link the disclosures to a broader campaign that combines automated phishing kits with voice-based social engineering to capture credentials and MFA tokens in real time. Security firm Silent Push detected a 'Live Phishing Panel' and infrastructure consistent with SLSH activity targeting more than 100 high-value organizations. Organizations are advised to verify IT support calls through official out-of-band channels and audit OSS logs for suspicious device enrollments and new-IP logins.
read more →

Match Group Breach Exposes Data from Multiple Dating Apps

🔒Match Group confirmed a security incident after the ShinyHunters group leaked 1.7 GB of compressed files allegedly containing about 10 million records from Hinge, Match, and OkCupid, along with internal documents. The company says it terminated unauthorized access, is working with external experts, and believes a limited amount of user data was exposed with no indication that login credentials, financial information, or private communications were accessed. Match Group is notifying affected individuals as appropriate and continuing its investigation.
read more →

Have I Been Pwned: SoundCloud breach affects 29.8M

🔒 SoundCloud confirmed unauthorized activity in December 2025 after users reported 403 errors and the company said it had activated incident response procedures; it indicated no passwords or financial data were accessed. Have I Been Pwned later disclosed the incident impacted 29.8 million accounts, exposing email addresses, names, usernames, avatars, follower/following counts and, in some cases, country. Sources and updates attribute the intrusion to the ShinyHunters extortion group, which attempted to extort SoundCloud and used email flooding to harass users, employees, and partners.
read more →

ShinyHunters Claim Responsibility for SSO Vishing Attacks

📞 ShinyHunters says it is behind a wave of voice-phishing campaigns that compromise single sign-on accounts at Okta, Microsoft Entra, and Google, enabling access to downstream SaaS platforms. Attackers call employees posing as IT, steer victims through dynamic phishing pages and capture multi-factor authentication in real time, then enumerate connected applications to harvest data. The group claims Salesforce as a primary target and has issued extortion demands using stolen information.
read more →

BreachForums user database leaked, exposing 323,986 records

🔓 On January 9, 2026, a database containing 323,986 BreachForums user records was published on a site named after the ShinyHunters gang, exposing usernames, email addresses, password hashes and IP addresses. The leak was accompanied by a roughly 4,400‑word manifesto from someone calling themselves "James", who names alleged cybercriminals and claims responsibility. The provenance and motive remain unclear, though the dump could provide law enforcement with investigative leads and highlights the limits of perceived anonymity on criminal forums.
read more →

BreachForums Database Leak Exposes Forum User Records

🔓 A leaked SQL database tied to the BreachForums dark-web forum was published by a site associated with the ShinyHunters collective, according to Resecurity. The archive reportedly contains meta-data for 323,986 MyBB users, including usernames and IP addresses, though some IPs appear sanitized or set to loopback values. Resecurity warns that copies from other sources may be booby-trapped and recommends obtaining the dataset from its site.
read more →

ShinyHunters Claims Resecurity Breach; Firm Calls Honeypot

🔒 ShinyHunters claims it gained full access to cybersecurity firm Resecurity, publishing Telegram screenshots that allegedly show employee records, internal chats, threat intelligence reports, and client data. Resecurity disputes the account, saying the accessed environment was an isolated honeypot populated with synthetic datasets after researchers detected probes in November 2025. The firm reports the actor generated automated exfiltration activity between December 12–24, collected telemetry on proxy infrastructure and tactics, and shared intelligence with law enforcement while the attacker promises to release more evidence.
read more →

PornHub Extorted After Mixpanel Breach Exposes Premium Data

🔓 PornHub says it is being extorted after threat actors claiming to be ShinyHunters said they stole analytics records from vendor Mixpanel, which suffered a smishing-driven breach on November 8, 2025. PornHub stated the incident affects only select Premium users and emphasized that passwords and payment details were not exposed. The company also said it has not worked with Mixpanel since 2021, indicating the records are historical analytics data.
read more →

Gainsight Expands Customer Impact After Salesforce Alert

🔒 Gainsight disclosed that suspicious activity affecting its Salesforce-connected applications has expanded beyond an initial three-customer list provided by Salesforce, with the company saying it presently knows of "only a handful" of customers whose data were affected. Salesforce revoked access and refreshed tokens for impacted Gainsight-published apps after detecting "unusual activity" claimed by the ShinyHunters group. Several vendors suspended integrations while investigations continue; Gainsight advised rotating credentials, resetting non‑SSO passwords, and reauthorizing connectors as preventive measures.
read more →

Salesforce Flags Unauthorized Access via Gainsight OAuth

🔒 Salesforce reported detected 'unusual activity' involving Gainsight-published applications that used OAuth connections to its platform and said the activity may have enabled unauthorized access to some customers' Salesforce data. The company revoked all active access and refresh tokens for affected apps and temporarily removed those listings from the AppExchange while it investigates. Gainsight also pulled its app from the HubSpot Marketplace as a precaution. Security analysts have linked the activity to the ShinyHunters (UNC6240) group and are urging customers to review and revoke suspicious third-party integrations.
read more →

ShinySp1d3r RaaS Emerges - New Encryptor by ShinyHunters

🕷️ An in-development build of the ShinySp1d3r ransomware-as-a-service has surfaced, revealing a Windows encryptor developed by threat actors linked to ShinyHunters and affiliates. The sample shows ChaCha20 file encryption with RSA-2048 key protection, per-file headers beginning with "SPDR" and ending with "ENDS", and automated propagation methods via SCM, WMI, and GPO. The build includes process-killing, EtwEventWrite hooking, free-space overwriting, shadow-copy deletion, anti-analysis measures, and deploys a ransom note (R3ADME_1Vks5fYe.txt) plus a wallpaper; Linux and ESXi versions are reportedly in progress.
read more →

Checkout.com Apologizes After Breach, Donates Ransom

🔒 Checkout.com publicly disclosed a breach after the ShinyHunters group accessed data from a legacy third‑party cloud storage system used prior to 2020, and issued an apology taking responsibility for the error. The company said fewer than 25% of current merchants were affected, confirmed no payment card data was taken, and refused the ransom demand. Instead of paying, it donated the ransom amount to Carnegie Mellon University and the University of Oxford Security Center to support research into cybercrime.
read more →