Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ShinyHunters voice-phishing campaign targeting SSO accounts for extortion

Campaign
First reported
Last updated
Happening score
H score 62
2 unique sources, 4 articles

Summary

Hide ▲

A ShinyHunters-linked extortion campaign is using voice phishing to target Salesforce customers and steal data for ransom, with the operation first surfacing in May 2025 and later tied by Google to UNC6040. The group has since published a victim-shaming site, Scattered LAPSUS$ Hunters, that names dozens of companies and threatens to leak stolen data unless payments are made, while also claiming other breaches including Discord and Red Hat. The broader activity matters because a compromised account or connected app can expose large volumes of customer and enterprise data across multiple organizations.

Cases

ShinyHunters voice-phishing extortion through Salesforce-connected accounts (1)

Related Happenings

Charter Communications hit by network compromise linked to ShinyHunters

Incident
First: 26.05.2026 22:46 Last: 26.05.2026 22:46 Sources 1

About this happening: **Charter Communications** confirmed a **data breach** tied to **ShinyHunters** extortion, raising the risk of customer-data exposure and active follow-on pressure. The company sa...

Open Happening

Storm-2949 Microsoft 365 and Azure data-theft campaign

Campaign
First: 19.05.2026 22:35 Last: 19.05.2026 22:35 Sources 1

About this happening: The **Storm-2949** campaign is targeting **Microsoft 365 and Azure production environments** to steal sensitive data, increasing the risk of privileged-account takeover and cloud...

Open Happening

ShinyHunters school-by-school extortion campaign targeting Canvas institutions

Campaign
First: 11.05.2026 13:05 Last: 11.05.2026 13:05 Sources 1

About this happening: ShinyHunters intensified a **school-by-school extortion campaign** against **Canvas-related institutions**, increasing pressure on schools and universities as the group threatened...

Open Happening

Google sponsored search ManageWP phishing campaign

Campaign
First: 07.05.2026 00:36 Last: 07.05.2026 00:36 Sources 1

About this happening: A **phishing campaign** is abusing **Google sponsored search results** to impersonate **ManageWP** and steal login credentials, **2FA codes**, and account access. The operation ma...

Open Happening

AWS exposed-key hardening guidance for Amazon SES phishing abuse

Defensive Guidance
First: 04.05.2026 23:03 Last: 04.05.2026 23:03 Sources 1

About this happening: **Kaspersky** urged organizations to harden **AWS IAM** and credential handling after **exposed access keys** were linked to phishing delivery through **Amazon SES**, reducing the...

Open Happening

Timeline

  1. 27.04.2026 17:43 1 articles · 1mo ago

    ShinyHunters breach ADT data affecting 5.5 million

    Victim Impact Update

    ShinyHunters breached ADT after compromising an employee's Okta single sign-on (SSO) account in a vishing attack, then used that access to reach ADT's Salesforce instance and steal data. Have I Been Pwned said the exposed data affected 5.5 million people and included names, phone numbers, addresses, and in a small percentage of cases dates of birth and partial Social Security numbers or Tax IDs; the group later leaked an 11GB archive after extortion failed.

    Show sources
    Open in new tab
  2. 24.01.2026 01:35 4 articles · 4mo ago

    ShinyHunters claims SSO voice-phishing campaign

    Initial Disclosure

    ShinyHunters claims responsibility for an ongoing voice-phishing campaign against SSO users at Okta, Microsoft Entra, and Google, where attackers impersonate IT support, steer employees to phishing pages, capture credentials and MFA codes in real time, and use the compromised access to reach connected SaaS platforms and steal data for extortion.

    Show sources
    Open in new tab