What Is ShinyHunters? How One Cybercrime Group Is Behind a Dozen Major Cyber Breaches

ShinyHunters has become one of the leading cyber threats to Western corporations.

The Canvas incident on May 7 is the latest reminder. Students at nearly 9,000 schools opened the Canvas platform to study for finals and found ransom messages where their assignments used to be. Instructure, the company behind Canvas, confirmed exposure of usernames, email addresses, and messages between teachers and students¹. Hundreds of Schools across the U.S. were affected, with multiple institutions forced to postpone finals ². ShinyHunters claimed responsibility.

Canvas is one of more than a dozen ShinyHunters-claimed breaches in the past two years. Most of them follow a similar concept: identity-led breaches that lead to SaaS extortion. The attacker either calls an employee and steals their SSO session, or they find credentials through a vendor or somewhere else and abuse them to walk into the data. This post breaks down how that works, why their attacks are accelerating, and how to defend against it with a clear checklist.

The rise of ShinyHunters

The last 24 months show the pattern compounding.

In 2024, the Snowflake campaign exposed dozens of companies including AT&T, Ticketmaster, Santander, Advance Auto Parts, and LendingTree. Mandiant found that the attackers, tracked as UNC5537, did not breach Snowflake itself. They reused customer credentials harvested from infotealer logs, found accounts that did not have MFA enforced, and used those to infiltrate ³.

In 2025, the Salesloft Drift compromise turned one connected app into a master key for hundreds of Salesforce tenants. Google's threat intelligence team attributed the OAuth token theft to UNC6395, which used the tokens to export data from customer Salesforce environments⁴. ShinyHunters later claimed to be holding more than 1.5 billion Salesforce records from 760 companies pulled out of the Drift fallout⁵.

In 2026, the list is just accelerating: Canvas, ADT, McGraw Hill, Panera, SoundCloud, Bumble, Carnival, Pitney Bowes, Udemy, Vimeo, Rockstar, TELUS Digital, and Match Group have all been hit by ShinyHunters-claimed incidents. The companies span different industries and different sizes, but roughly four out of five share the same root cause: extortion powered by identity compromise.

ShinyHunters is a serious and accelerating threat, and AI is pushing it further. Agentic AI is dropping the cost of reconnaissance, credential triage, and lateral movement inside SaaS. The honest forecast is that 2027 will be a multiple of 2026, not a continuation of it. CISOs need to prepare now to defend against this new reality.

How ShinyHunters attack

In a nutshell, ShinyHunters attacks in one of two ways. There are exceptions, but the pattern holds across the vast majority of incidents.

They attack the human. They make a phone call. They pretend to be IT. They guide the employee onto a fake SSO page that mirrors the real one. They capture the password, the MFA code, and most importantly the session token the identity provider issues after MFA completes. Push-based MFA does not stop this, because the attacker is not stealing the MFA code. They are stealing the token issued after it⁶.

They attack the credential, often through a vendor. This one has two different paths.

The first is the trusted-vendor compromise. ShinyHunters goes after a SaaS vendor that already holds OAuth tokens authorizing it to read and write data inside hundreds of customer environments. When the vendor falls, every customer that trusted it inherits the breach. That is what happened with Salesloft Drift in 2025, where one connected app turned into a master key for hundreds of Salesforce tenants⁴.

The second is credential reuse. After ShinyHunters exports data from one company, the group searches the stolen data for more credentials: AWS keys, Snowflake passwords, refresh tokens, anything that might keep working somewhere else. Those credentials become the seeds of the next breach. The TELUS Digital incident is a perfect example of this:  ShinyHunters claimed it used Google Cloud credentials found inside the Drift haul to access TELUS systems months after the original compromise⁷.

What both the human and non-human identity attack stories have in common is that the attacker does not need to break anything. They compromise an identity, and the data leaves through normal export activity. The culprit is a valid login doing something it should not have been allowed to do. 

This shape now reaches beyond financially motivated crime. The Stryker attack earlier this year, carried out by an Iran-linked group, leveraged the same identity-based pattern. One compromised admin account inside Microsoft Intune, 200,000 devices wiped, no malware required.

Two case studies on the kill chain

The best way to understand these attack paths is to dig into real examples of how they have unfolded in previous attacks with Panera Bread and Salesloft Drift. Not all of the technical detail is publicly available, so we have reconstructed the kill chains from the strongest public reporting.

The human path: How ShinyHunters breached Panera Bread

ShinyHunters told reporters it gained access to Panera through a Microsoft Entra SSO code, almost certainly via voice phishing into an employee account⁸. Panera confirmed a customer-data incident but did not validate the full attacker story. The mechanism is the part worth studying, and Google Cloud's threat intelligence team has documented the same voice-phishing-to-SaaS-export chain across the broader ShinyHunters-branded wave⁶.

Here is the kill chain. The attacker identifies an employee with a useful role: helpdesk, IT operations, customer support, or anyone with broad SaaS access. They place a call during a busy moment and pretend to be internal IT walking the employee through a routine verification. The employee is sent to a page that looks exactly like the company's branded Microsoft 365 login. They type in their password. They approve the MFA push. Everything completes normally from their side.

The attacker's proxy now holds the session token Microsoft issued after authentication. From the attacker's machine, that token is a valid session, and MFA does not re-trigger because the token is the proof that MFA already happened. From there, the attacker logs into the CRM, picks the right object, and starts exporting customer records. By the time the employee realizes something was off, the data is already gone.

Two things make this work consistently. First, push-based MFA was not designed for a threat model where the attacker controls the page in the middle. Second, most companies are dealing with access sprawl. Reviews happen quarterly at best, and they pile up faster than identity teams can clear them. Contractors keep access from old projects. Helpdesk roles accumulate permissions that nobody re-scopes. A single phished account ends up reaching far deeper into company data than its role description would suggest because the attacker picks up access from connected apps, shared dashboards, and over-permissioned roles as they move. The lateral motion is what turns a stolen session into a real breach.

The credential path: How ShinyHunters breached Salesloft Drift

The Salesloft Drift compromise is the cleanest example of how one OAuth integration becomes the master key for hundreds of companies at once.

A note on attribution before going further. Mandiant attributes the Drift breach itself to UNC6395, which is not the same cluster as ShinyHunters⁴. ShinyHunters later claimed to be holding 1.5 billion Salesforce records from 760 companies pulled out of the Drift fallout⁵. Who is ultimately responsible isn’t what matters. The broader credential-reuse follow-on is.

Here is the kill chain. Drift is a connected app for Salesforce. It holds OAuth tokens that Salesforce honors as proof that Drift is allowed to read and write certain data. UNC6395 stole those tokens and used them to access customer Salesforce instances and export data. The attacker did not have to phish 760 companies. They walked into 760 Salesforce tenants with credentials those tenants had already authorized and ran mass exports. Then they searched the stolen Salesforce data for cloud credentials, AWS keys, Snowflake passwords, and anything else that might keep working in adjacent environments.

This is how they then infiltrated TELUS Digital. ShinyHunters claimed it found Google Cloud credentials inside the Drift haul and used them to access TELUS systems months later⁷. One credential becomes a long tail. The integration already had permission to be inside Salesforce, and the credentials it exposed kept opening door after door,  long after the original incident closed.

How to protect yourself

The defenses are not mysterious. It is about getting the fundamentals right and taking them seriously. Most of these are things teams have on the roadmap and have not finished rolling out.

Get the checklist PDF here -> 

Fight Fire with Fire

ShinyHunters is interesting because the playbook is so repeatable: call the human, steal the session, find the token, use the integration, search for more credentials, export the data, and threaten to leak it.

The harder truth is that the volume of these kinds of attacks is going to keep climbing. Already, 96% of organizations reported an identity-based incident in the past year. The challenge is that identity teams are already drowning. Access reviews are quarterly because people cannot do them faster. Non-human identities sit ungoverned because nobody owns them. OAuth tokens live for years because nobody is watching. All of these come from the identity debt organizations have known about, but haven’t had the time, resources, or tooling to pay down. 

The only answer is that defenders need machines and agents to keep pace with attackers who are already machine-driven. That’s exactly what customers use Lumos for today: agents that help them take control of every identity in their environment. For more, check out my post on building machine-speed security with AI.

‍

References

1. Instructure, "Security Incident Update & FAQs," updated May 11, 2026.

2. Associated Press, "Data stolen from education platform Canvas is deleted in deal with hackers," May 12, 2026.

3. Google Cloud Threat Intelligence, "UNC5537 Targets Snowflake Customer Instances for Data Theft and Extortion."

4. Google Cloud Threat Intelligence, "Widespread Data Theft Targets Salesforce Instances via Salesloft Drift."

5. BleepingComputer, "ShinyHunters claims 1.5 billion Salesforce records stolen in Drift hacks."

6. Google Cloud Threat Intelligence, "Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft," January 30, 2026.

7. BleepingComputer, "Telus Digital confirms breach after hacker claims 1 petabyte data theft," March 12, 2026.

8. BleepingComputer reporting on Panera's ShinyHunters-claimed Microsoft Entra SSO compromise.

^‍