Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

ShinyHunters widespread Okta SSO data theft campaign

Campaign
First reported
Last updated
Happening score
H score 50
2 unique sources, 2 articles

Summary

Hide ▲

ShinyHunters is tied to a widespread campaign that compromised Okta SSO accounts to steal data from third-party cloud storage and SaaS platforms, widening the blast radius across multiple services. One confirmed downstream target was a Zendesk environment used by Hims & Hers, where support tickets were accessed or acquired without authorization. The operation matters because identity-provider compromise can expose data across many customer tenants at once.

Related Happenings

Zara customer data leak exposing 197,400 people

Data Leak
First: 08.05.2026 13:42 Last: 08.05.2026 13:42 Sources 1

About this happening: The **Zara** customer-data leak now exposes **197,400 people**, creating privacy and phishing risk across multiple markets. The exposed records include **unique email addresses**,...

Open Happening

BlackFile vishing extortion campaign targeting retail and hospitality organizations

Campaign
First: 24.04.2026 21:26 Last: 24.04.2026 21:26 Sources 1

About this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...

Open Happening

ShinyHunters data-theft extortion campaign targeting Salesforce customers

Campaign
First: 07.04.2026 22:39 Last: 07.04.2026 22:39 Sources 1

About this happening: The **ShinyHunters** extortion campaign is actively pressuring **numerous companies** with ransom demands tied to **stolen data**, increasing exposure for **Salesforce customers**...

Latest development: 11.05.2026 12:00

ShinyHunters' pay-or-leak campaign exposed data from Zara customers, with HaveIBeenPwned citing over 197,000 affected customers after an April 2026 incident that involved stolen Anodot authentication tokens reaching BigQuery and Snowflake, and the same operation later targeted Instructure's Canvas Learning Management System in late April 2026, affecting 8,809 users across 50 countries and aligning with other victims such as Vimeo, Rockstar Games and McGraw Hill.

Open Happening

Crunchyroll hit by network compromise

Incident
First: 23.03.2026 21:21 Last: 23.03.2026 21:21 Sources 1

About this happening: Crunchyroll is investigating a **breach** that allegedly exposed support systems and user data, putting about **6.8 million** people at risk. The claimed intrusion involved a **su...

Open Happening

Aura customer data exposed after Aura breach

Data Leak
First: 19.03.2026 00:56 Last: 19.03.2026 00:56 Sources 1

About this happening: Aura confirmed a **data leak** that exposed nearly **900,000 customer records**, creating privacy and phishing risk for affected customers. The exposed set included **names**, **e...

Open Happening

Timeline

  1. 03.04.2026 20:41 1 articles · 1mo ago

    Unauthorized access to Hims & Hers support tickets begins

    Exploitation Observed

    Certain tickets sent to Hims & Hers customer service were accessed or acquired without authorization, and the intrusion window was later determined to have started on February 4, 2026 and continued through February 7, 2026.

    Show sources
    Open in new tab
  2. 03.04.2026 20:41 1 articles · 1mo ago

    Hims & Hers detects suspicious activity on third-party customer service platform

    Initial Disclosure

    Hims & Hers Health became aware of suspicious activity affecting its third-party customer service platform and promptly secured the platform while starting an investigation into the potential security incident.

    Show sources
    Open in new tab
  3. 03.04.2026 20:41 1 articles · 1mo ago

    Investigation finds personal information in Hims & Hers support tickets

    Victim Impact Update

    Following an internal investigation, Hims & Hers determined that hackers had accessed support tickets that in some cases contained personal information, including names and contact information, while stating that no medical records or doctor communications were compromised.

    Show sources
    Open in new tab
  4. 03.04.2026 20:41 2 articles · 1mo ago

    Reporting links Hims & Hers support-ticket theft to ShinyHunters

    Attribution Update

    Reporting tied the Hims & Hers support-ticket theft to the ShinyHunters extortion gang, saying threat actors used a compromised Okta SSO account to access the company's Zendesk instance and steal data; Hims & Hers offered 12 months of free credit monitoring to impacted individuals and advised vigilance against phishing and social-engineering lures.

    Show sources
    Open in new tab