Find notable cyber news and cases, enriched with sources, timelines, and signals.

ShinyHunters voice-phishing campaign targeting SSO accounts for extortion

Campaign
First reported
Last updated
Happening score
H score 78
2 unique sources, 4 articles

Summary

Hide ▲

A ShinyHunters-linked extortion campaign is using voice phishing to target Salesforce customers and steal data for ransom, with the operation first surfacing in May 2025 and later tied by Google to UNC6040. The group has since published a victim-shaming site, Scattered LAPSUS$ Hunters, that names dozens of companies and threatens to leak stolen data unless payments are made, while also claiming other breaches including Discord and Red Hat. The broader activity matters because a compromised account or connected app can expose large volumes of customer and enterprise data across multiple organizations.

Cases

Related Happenings

Oracle PeopleSoft broad zero-day exploitation campaign

Exploitation Wave
H score82 First: 29.06.2026 13:00 Last: 29.06.2026 13:00 Sources 1

About this happening: A **broad PeopleSoft zero-day exploitation campaign** exposed **multiple organizations** to compromise after attackers abused a **previously unknown Oracle PeopleSoft vulnerabilit...

Outsider Enterprise-Outsider-Chinese cybercrime alliance reshapes ransomware ecosystem operations

Threat Actor Meta
H score69 First: 12.06.2026 21:59 Last: 12.06.2026 21:59 Sources 1

About this happening: The **Outsider Enterprise** is a **Chinese phishing-as-a-service** operation that used **Telegram**, **AI**, and distributed phishing kits to run large-scale brand-impersonation c...

Oracle PeopleSoft PeopleTools zero-day RCE (CVE-2026-35273)

Vulnerability
H score58 First: 11.06.2026 22:39 Last: 11.06.2026 22:39 Sources 1

About this happening: **Oracle PeopleSoft PeopleTools CVE-2026-35273** is a critical **zero-day RCE** affecting **PeopleSoft Enterprise PeopleTools 8.61 and 8.62**. Oracle released **emergency mitigati...

Latest development: 29.06.2026 23:40

Nissan says it suffered a data breach affecting current and former employees after attackers exploited an Oracle PeopleSoft zero-day associated with CVE-2026-35273. Oracle informed Nissan that personnel records of hundreds of companies may have been obtained and that Nissan was specifically targeted, with potentially exposed data including contact details, banking information, Social Security numbers, Social Insurance Numbers, National Identification Numbers, financial and tax information, and dependent and beneficiary data for employees in the United States, Canada, Mexico, and Brazil.

ShinyHunters Oracle PeopleSoft data theft and extortion campaign

Campaign
H score60 First: 10.06.2026 21:31 Last: 10.06.2026 21:31 Sources 1

About this happening: **ShinyHunters**/**UNC6240** used **CVE-2026-35273** in **Oracle PeopleSoft Enterprise PeopleTools** as a **zero-day** to break into exposed systems, steal data, and extort victim...

Latest development: 29.06.2026 23:40

Nissan says attackers exploited an Oracle PeopleSoft vulnerability in a ShinyHunters-linked campaign and that the company was specifically targeted, with personal information for current and former employees in the United States, Canada, Mexico, and Brazil potentially exposed. Nissan says the material may include employee contact information, banking information, Social Security numbers, Social Insurance Numbers, National Identification Numbers, financial and tax information, and dependent and beneficiary information, and the company has activated incident response, engaged external cybersecurity experts, secured affected systems, and is working with Oracle.

Silent Ransom Group US law firm IT impersonation campaign

Campaign
H score36 First: 29.05.2026 16:00 Last: 29.05.2026 16:00 Sources 1

About this happening: **Silent Ransom Group (SRG)**, also tracked as **UNC3753**, **Chatty Spider**, and **Luna Moth**, is running a **financially motivated data theft extortion campaign** against **do...

Timeline

  1. 27.04.2026 17:43 1 articles · 2mo ago

    ShinyHunters breach ADT data affecting 5.5 million

    Victim Impact Update

    ShinyHunters breached ADT after compromising an employee's Okta single sign-on (SSO) account in a vishing attack, then used that access to reach ADT's Salesforce instance and steal data. Have I Been Pwned said the exposed data affected 5.5 million people and included names, phone numbers, addresses, and in a small percentage of cases dates of birth and partial Social Security numbers or Tax IDs; the group later leaked an 11GB archive after extortion failed.

    Show sources
  2. 24.01.2026 01:35 4 articles · 5mo ago

    ShinyHunters claims SSO voice-phishing campaign

    Initial Disclosure

    ShinyHunters claims responsibility for an ongoing voice-phishing campaign against SSO users at Okta, Microsoft Entra, and Google, where attackers impersonate IT support, steer employees to phishing pages, capture credentials and MFA codes in real time, and use the compromised access to reach connected SaaS platforms and steal data for extortion.

    Show sources