ShinyHunters Phishing & Multiple Breaches

Last Updated on May 5, 2026 by Arnav Sharma

If you work in security and you haven’t been tracking ShinyHunters lately, now’s the time to start. This group has been on an absolute tear through 2026, and the last few weeks of April and early May brought a string of breaches that should have every CISO and security architect paying close attention.

Let’s walk through what happened, how they did it, and what it tells us about where data extortion is heading.

ADT: 5.5 Million Records via a Phone Call

On April 20, ADT detected unauthorized access to customer data. Four days later, they filed an 8-K with the SEC confirming the breach. ShinyHunters claimed responsibility almost immediately, posting the company on their data leak site and setting an April 27 ransom deadline. ADT didn’t pay. ShinyHunters dumped an 11 GB archive on the dark web.

The exposed data included names, phone numbers, addresses, and in a smaller subset, dates of birth and partial Social Security numbers. No payment data or alarm system access was compromised, which is the one piece of good news here.

But the attack method is what matters most. ShinyHunters reportedly gained access through a voice phishing (vishing) call that tricked an ADT employee into handing over their Okta SSO credentials. From there, the attackers walked straight into ADT’s Salesforce instance and started pulling data.

No zero-day. No malware. Just a convincing phone call.

This is the third time ADT has disclosed a breach in under two years, which raises fair questions about whether previous remediation efforts went deep enough.

Instructure: 275 Million Records Across 9,000 Schools

The Instructure breach hit the news over the first weekend of May. If you’re not familiar with Instructure, they make Canvas, one of the most widely used learning management systems in K-12 and higher education worldwide.

ShinyHunters claims to have stolen 3.65 TB of data from the platform, affecting roughly 275 million individuals across nearly 9,000 schools. The stolen data includes names, email addresses, student ID numbers, and private messages between users. Instructure says passwords, financial data, and government IDs were not involved.

The attack started around April 30 when Instructure noticed disruptions to tools relying on API keys. By May 1, the company confirmed a criminal threat actor was involved and brought in external forensics. Canvas Data 2 and Canvas Beta were taken down for maintenance. Service was mostly restored by May 3.

Here’s what makes this one sting: this is Instructure’s second breach linked to ShinyHunters in about eight months. The first one, in September 2025, targeted their Salesforce environment through social engineering. The fact that the same group came back and found another way in raises uncomfortable questions about how thoroughly the first incident was investigated and closed out.

ShinyHunters also claims to have reached Instructure’s Salesforce instance again, meaning the blast radius may extend beyond Canvas itself.

The Salesforce Thread That Connects Everything

If you zoom out, a pattern becomes obvious. Salesforce keeps showing up.

Going back to September 2025, ShinyHunters started targeting Salesforce customers through the Salesloft/Drift integration, stealing OAuth tokens to get into hundreds of Salesforce instances. By January 2026, they had weaponized AuraInspector, an open-source audit tool released by Mandiant, to mass-scan Salesforce Experience Cloud sites for misconfigured guest user profiles. By March 2026, they claimed to have breached somewhere between 300 and 400 companies through this method alone.

The victims read like a who’s-who: McGraw Hill (13.5 million records), NVIDIA GeForce NOW (unconfirmed but claimed), Rockstar Games (80 million records claimed), the European Commission (350 GB), TELUS Digital (1 petabyte), and dozens of others across finance, education, gaming, and government.

Salesforce has been clear that this isn’t a platform vulnerability. The problem sits in how customers configure their Experience Cloud guest user profiles. When guest users have API access enabled or when Organization-Wide Defaults are set too permissively, the data behind those portals becomes reachable without authentication.

That’s a configuration problem, not a code problem. And the distinction matters because it means there’s no patch coming. Each affected organisation has to go review and lock down its own settings.

Two Playbooks, One Group

What’s interesting about ShinyHunters in 2026 is that they’re running two distinct attack playbooks at the same time.

• Playbook 1: Vishing for SSO credentials. This is the ADT approach. Call an employee or a BPO agent, impersonate IT support, and get them to hand over their Okta, Microsoft Entra, or Google SSO login. Once inside, the attacker enrols a new MFA device (often using emulated Android hardware through Genymobile), then fans out across every SaaS app connected through that SSO. Obsidian Security published a detailed write-up showing how these attackers trigger SSO Burst alerts by accessing an abnormally high number of connected applications in a short window. They’re not looking for one specific thing. They’re checking which doors opened with that one key.
• Playbook 2: Scanning for Salesforce misconfigurations. This is the McGraw Hill and NVIDIA approach. Automated scanning of public-facing Experience Cloud sites using a modified version of AuraInspector, targeting guest user profiles that have too many permissions. No social engineering needed. No credentials required. If the door is unlocked, they walk in.

Both playbooks end the same way: data gets stolen, the victim gets a ransom deadline, and if they don’t pay, the data goes up on the ShinyHunters leak site.

What Defenders Should Be Doing Right Now

If your organisation uses Okta, Entra, or any SSO platform combined with SaaS applications like Salesforce, here’s where I’d focus:

• Lock down Salesforce Experience Cloud guest access. Disable “API Enabled” on all guest user profiles. Uncheck “Portal User Visibility” and “Site User Visibility” in Sharing Settings. If self-registration isn’t required for your use case, turn it off. These are the exact toggles ShinyHunters is scanning for.
• Treat vishing as a real, present threat. Most security awareness training still puts phishing emails front and centre. Voice phishing is now the primary initial access vector for this group. Your helpdesk and IT support teams need specific training on how to verify caller identity before resetting credentials or walking someone through an MFA enrollment. If someone calls claiming to be from IT, there should be an out-of-band verification step before anything happens.
• Monitor for abnormal SSO behaviour. Watch for authentication sequences that deviate from normal user patterns, especially failure-heavy login chains followed by successful authentication from unusual devices. Pay attention to FastPass or Okta Verify enrollment events that happen right after a suspicious login. And flag any session that rapidly accesses a large number of SSO-connected apps in a short time.
• Audit your SaaS blast radius. Map out which applications are connected to your SSO. Understand what data each one holds. If an attacker compromises one identity, how far can they get? That question should have a documented answer.
• Assume the stolen data will be used for follow-on attacks. Names, email addresses, student IDs, employee records. This data is fuel for targeted phishing. If your organisation or your users were part of any of these breaches, expect convincing spearphishing attempts in the weeks ahead.

The Bigger Picture

ShinyHunters has turned data extortion into an assembly line. They’re not writing custom exploits or burning zero-days. They’re calling people on the phone and scanning for open doors in cloud platforms. The tools are simple. The execution is fast. And the scale is staggering.

The group has been linked to Scattered Spider and Lapsus$ members, and despite arrests in France and a guilty plea in the US, operations haven’t slowed down. If anything, they’ve accelerated. The volume of disclosed breaches in 2026 alone, across education, telecoms, gaming, government, and enterprise security, suggests a well-organised operation with multiple active operators.

For security teams, the lesson is blunt: identity is the perimeter now, and SaaS configuration is the attack surface. If you’re still focused primarily on network defenses and endpoint protection, you’re defending the wrong things.

The phone call that starts a breach doesn’t trip a firewall rule. The misconfigured guest profile doesn’t generate a CVE. These gaps live in the spaces between traditional security controls, and ShinyHunters has figured out how to exploit them at scale.