DigitalXRAID

ShinyHunters Cyber Attacks Explained: What IT and Security Leaders Need to Know

The cybercriminal group known as ShinyHunters has re-emerged in the headlines following a series of high profile breaches at luxury goods brands Gucci, Balenciaga and Alexander McQueen.  

Previously, ShinyHunters has also been linked to significant recent breaches, including the well publicised Salesforce data breach that affected Google, where attackers used social engineering to trick employees into installing a fraudulent application that exposed millions of customer records. 

For IT and Security leaders, ShinyHunters represents a growing risk. Their ability to combine sophisticated social engineering with the exploitation of SaaS platforms shows that even well defended organisations can be compromised through human trust and everyday business tools.  

In this article, we’ll be looking at who ShinyHunters are, their key tactics, the industries they’ve targeted to date, and the practical steps you can take to protect your organisation. 

Table of Contents

Key Takeaways 

  • ShinyHunters is a cybercriminal group behind major breaches at Google, Gucci, and LVMH luxury brands and Telus Digital. 
  • The group uses social engineering, vishing and malicious SaaS applications to steal sensitive data. 
  • They follow a delayed extortion model, often selling stolen data on dark web forums or demanding multi-million dollar ransoms. 
  • Their victims include technology, retail, financial services and aviation and business process outsourcing, proving no industry is safe. 
  • The Telus Digital breach demonstrates how credentials stolen in one attack can be weaponised months later to breach entirely separate organisations.
  • Convergence with other groups such as Scattered Spider and Lapsus$ shows the threat landscape is becoming more dangerous. 
  • Strong MFA, SaaS monitoring and staff training are critical to defending against ShinyHunters style attacks. 
  • ShinyHunters have claimed responsibility for a large-scale vishing campaign targeting Okta SSO users.
  • Identity platforms and SSO systems are now high-value targets for data theft and extortion
  • Supply chain and third-party vendor relationships are increasingly being exploited as the entry point for follow-on attacks.
  • Phishing-resistant MFA and identity monitoring are critical to defending against these attacks

Who Are ShinyHunters? 

ShinyHunters first emerged around 2020. The gang quickly built a reputation as one of the most prolific data theft groups operating today. They’re suspected to operate out of regions in Asia and Eastern Europe, although their exact origins remain unclear – by design. Security researchers have been tracking this group for a while, under the designation UNC6040. 

This cybercriminal group is financially motivated, and best known for stealing and selling vast amounts of data from global enterprises. Unlike some ransomware operators who focus on encrypting systems, ShinyHunters focus on exfiltrating valuable customer and corporate data, which is then monetised through ransom demands or underground forum sales. 

The ShinyHunters attack pattern in early campaigns involved large scale breaches of customer databases. Over time, their methods have evolved to target SaaS applications and exploit the growing interconnectivity of cloud-based services. This pivot shows an understanding of where businesses hold the most sensitive information today: in platforms such as Salesforce, Microsoft 365 and Google Workspace. 

Cyberattack - social engineering TTPs

Notable ShinyHunters Cyber Attacks 

There have been a number of household name brands that have fallen victim to this group in the last few years alone.  

Google Salesforce Data Breach (2025) 

One of the most significant incidents attributed to ShinyHunters this year involved a Salesforce data breach at Google.  

Attackers used vishing, a form of voice phishing, to impersonate IT support staff. Employees were persuaded to install a maliciously modified version of Salesforce’s Data Loader application. Once authorised, this fraudulent app enabled the extraction of around 2.55 million customer records, including business names, contact information and account notes. 

Google was quick to contain the incident, terminate unauthorised access, and notify affected customers. While no payment or advertising data was taken, the breach underlined the risks of SaaS compromise through social engineering rather than purely technical vulnerabilities. 

Telus Digital Breach (March 2026)

In one of the most significant supply chain breaches attributed to the group to date, ShinyHunters claimed responsibility for a major attack on Telus Digital, the digital services and business process outsourcing arm of Canadian telecommunications provider Telus.

The breach is particularly notable because of how it began. ShinyHunters used Google Cloud Platform credentials they had previously stolen during the 2025 Salesloft Drift supply chain attack, in which OAuth tokens from the Drift chatbot integration were compromised, giving attackers access to Salesforce data belonging to hundreds of organisations.

Using Telus Digital’s GCP credentials found within that stolen dataset, the attackers accessed multiple internal systems, including a large BigQuery environment. They then used the security scanning tool TruffleHog to search within the downloaded data for additional credentials, which enabled them to pivot laterally across further Telus systems.

In total, ShinyHunters claims to have exfiltrated close to one petabyte of data. The compromised information reportedly includes:

  • Customer support records and call centre operations data for Telus Digital’s BPO clients
  • Agent performance metrics and AI-powered support tooling data
  • Fraud detection and content moderation system data belonging to client companies
  • Source code and FBI background check information spanning multiple Telus business divisions
  • Consumer call records, voice recordings and call metadata from Telus’ fixed-line telecommunications services

ShinyHunters reportedly began extorting Telus in February 2026, demanding $65 million in exchange for not releasing the data. Telus did not engage with the demand. As of publication, the data has not appeared on the group’s public leak site, though this is consistent with their pattern of applying prolonged extortion pressure before escalating to public disclosure.

Cyber Breaches of Gucci, Balenciaga and Alexander McQueen 

ShinyHunters have also claimed responsibility for cyberattacks against a number of high profile luxury fashion brands. By targeting names with global recognition, the group not only acquires valuable customer data but also maximises reputational impact.  

These incidents demonstrate that ShinyHunters are opportunistic in their targeting and willing to exploit sectors where brand reputation is a critical asset. 

Previous Campaigns Against Global Enterprises 

The group’s track record is extensive. Attacks have been attributed to ShinyHunters across a wide range of industries: 

  • Cisco, where staff were also targeted through social engineering. 
  • Qantas Airways, with customer data exposure reported. 
  • LVMH brands including Louis Vuitton, Dior and Tiffany & Co, highlighting their focus on luxury and global brands. 
  • Adidas, involving the exfiltration of sensitive customer data. 
  • Allianz Life, highlighting their interest in financial services and a broad sector reach potential. 

These incidents confirm that ShinyHunters are industry agnostic. Any organisation holding high value data or relying on brand reputation, from airlines to insurers, could be on their radar. 

Common Patterns Across Attacks 

Across different campaigns, clear attacks patterns emerge, which is good news – for now.  

Currently, ShinyHunters repeatedly exploit SaaS platforms, focusing on CRM systems and productivity suites that hold rich customer and corporate data. They also appear to favour tactics that bypass technical defences, such as manipulating employees into authorising access rather than breaking through security controls. 

This gives you a good starting point to defend your operations against these attacks. Make sure you’re conducting regular training so your staff can act as your first line of defence, not your weakest link.   

Tactics, Techniques and Procedures Used By ShinyHunters 

By understanding the common tactics, techniques and procedures (TTPs) that ShinyHunters uses, we can begin to build a defence in depth strategy to mitigate this threat.  

Social Engineering and Vishing 

Social engineering is at the core of ShinyHunters’ operations. By impersonating IT staff, they manipulate employees into following instructions that grant their attackers access.  

Vishing is particularly effective because phone calls carry a sense of urgency and trust that email based phishing does not. 

Credential Theft and Reuse 

Like many cybercriminal groups, ShinyHunters collect credentials from previous breaches and reuse them across different services. This tactic remains effective given the persistence of weak passwords and password reuse across organisations. 

The Telus Digital breach is a stark example of how credentials stolen in one campaign can sit dormant before being weaponised months later in a completely separate attack.

Exploitation of SaaS and Cloud Applications 

ShinyHunters target the applications that businesses rely on most. By deploying malicious connected apps, they exploit trusted integrations to exfiltrate data. The Salesforce Data Loader incident is a prime example of how attackers can weaponise legitimate tools once employees are convinced to install them. 

The Telus breach adds another dimension. Credentials buried in support tickets and cloud environments can serve as a launchpad for follow-on attacks.

Lateral Movement and Credential Mining

A technique highlighted in the Telus Digital breach is the use of automated credential scanning tools to pivot between systems. After gaining initial access, ShinyHunters used TruffleHog to scan downloaded data for further secrets, enabling them to move laterally across Telus systems and exponentially expand the breach.

This shows a level of operational sophistication that goes well beyond basic data theft.

Delayed Extortion Model and Ransom Demands 

ShinyHunters often operate quietly after stealing data. Victims may only be contacted weeks or months later when ransom demands are made, typically in Bitcoin. Demands can reach tens of millions of dollars. In the case of the Telus attack, $65 million was demanded.

These demands are of course accompanied by threats to leak stolen data publicly.

Monetisation via Underground Forums 

Beyond extortion, ShinyHunters have a history of selling stolen databases in underground marketplaces. This ensures a financial return even if victims refuse to pay ransoms. 

Expanded ShinyHunters attacks in collaboration with other ransomware gangs

Why ShinyHunters Threaten Your Business 

So now we understand the techniques that this criminal gang are using, what does that mean for the threat to your business?  

Supply Chain and SaaS Security Risks 

If your operations depend on SaaS platforms, attackers like ShinyHunters see these systems as lucrative targets. The Telus Digital breach makes this risk tangible: credentials stolen from one supplier were used months later to infiltrate an entirely separate organisation.

A single compromised integration or support ticket can expose millions of records across multiple downstream customers.

Human Exploitation vs. Technical Vulnerabilities 

The group’s methods highlight that people remain the weakest link in the security chains they’ve exploited. Even companies with advanced defences can be undermined if staff are manipulated into making the wrong decision. 

Global Impact and Industry Agnostic Targeting 

From luxury goods, to airlines, ShinyHunters prove that no sector is immune. If you hold sensitive customer data, you should take action now to prevent your brand being their next victim. It looks like they’ve moved from sporadic breaches to consistent, high profile attacks, also indicating increased resources and coordination. 

Reputational and Compliance Consequences 

The impact of a ShinyHunters attack extends beyond just data theft. The reputational damage, potential regulatory fines and customer trust issues can last long after technical remediation is complete.

By focusing on large service providers that hold data for dozens of downstream clients, they amplify fear, media attention, and reputational risk across entire supply chains.

Update: ShinyHunters Claims High-Profile Voice Phishing Attacks Against Okta Customers

ShinyHunters have recently claimed responsibility for a sophisticated voice phishing (vishing) campaign targeting organisations using Okta single sign-on (SSO), marking a significant escalation in both scale and coordination.

In a private alert sent to customer CISOs, Okta warned that attackers are using advanced, subscription-based vishing toolkits designed to bypass identity controls in real time. These campaigns are not opportunistic. They’re highly prepared, targeted attacks.

According to the alert, attackers arrive armed with detailed knowledge, including:

  • Which identity and MFA applications the target organisation uses
  • Internal IT helpdesk phone numbers
  • The language and workflows of legitimate support teams

This preparation allows attackers to convincingly impersonate IT support staff and guide victims through authentication steps live on the phone.

ShinyHunters Confirms Responsibility

The group stated that it has used voice-enabled phishing toolkits to compromise multiple organisations relying on Okta SSO. Other confirmed and alleged victims include:

  • Crunchbase
  • SoundCloud
  • Betterment

ShinyHunters claim that data from these organisations has already been leaked via a Tor-based victims blog, after extortion demands were rejected, with further victims expected to be named.

While not all leaked datasets have been independently verified, industry researchers have confirmed that Crunchbase data appears to include personally identifiable information (PII) and sensitive corporate data, including signed contracts.

How the Okta Voice Phishing Attacks Work

This campaign highlights how far social engineering attacks have evolved.

Unlike traditional phishing kits, voice-enabled phishing toolkits allow attackers to control the authentication experience in real time while speaking directly to the victim.

During the attack:

  • The victim receives a phone call from someone impersonating IT support
  • The attacker directs the victim to a realistic, malicious login page
  • As the victim enters credentials, the attacker relays them instantly
  • The attacker synchronises the victim’s browser experience with the live MFA challenge
  • Victims are instructed to approve MFA prompts they didn’t initiate, defeating push-based MFA

Okta researchers confirmed that these toolkits allow attackers to dynamically adjust phishing pages mid-call to match whatever MFA challenge is presented.

This makes any MFA that is not phishing-resistant vulnerable, including SMS codes and push notifications.

What These Updates Reveal About ShinyHunters’ Evolution

This latest campaign reinforces several important trends. It also reflects the trends reported in DigitalXRAID’s Annual Threat Report.

A Shift From Apps to Identity Infrastructure

ShinyHunters are moving beyond individual SaaS applications and targeting identity platforms that sit at the centre of modern IT environments. Compromising a BPO provider like Telus Digital allows attackers to reach dozens of enterprise clients in a single operation.

The Long Tail of Credential Theft

The Telus Digital breach illustrates a critical and often underestimated risk: credentials stolen in one attack don’t expire. ShinyHunters used Google Cloud Platform credentials obtained during the 2025 Salesloft Drift breach to access Telus systems months later.

Your exposure from a third-party incident may not materialise immediately, and that lag creates a dangerous window.

Industrialised Social Engineering

The use of subscription-based vishing toolkits and automated credential scanning tools like TruffleHog shows that ShinyHunters’ tradecraft is now productised, scalable and repeatable, rather than reliant on individual skill.

MFA Fatigue as a Primary Attack Vector

Rather than breaking MFA, ShinyHunters exploit human behaviour by creating believable scenarios that pressure users into approving access.

Continued Use of Delayed Extortion

Consistent with previous campaigns, victims are often contacted weeks later, once data has already been exfiltrated and packaged for resale or public leak. In the Telus case, the gap between initial access and extortion demand spanned several months.

Defensive Strategies Against ShinyHunters Attacks 

So how do you protect yourself and your business from a ShinyHunters style attack?  

Enforce Phishing Resistant MFA 

Multi-Factor Authentication (MFA) is essential, but methods such as SMS codes can still be bypassed. Phishing resistant options like hardware security keys provide you with stronger protection. 

Restrict Third-Party App Installations 

Application whitelisting and central approval processes reduce the risk of your staff unknowingly installing malicious apps that can infect or give access to your network. 

Audit and Rotate Credentials Stored in SaaS Environments

The Telus Digital breach is a reminder that credentials, tokens and secrets embedded in support tickets, cloud environments and SaaS exports can be mined long after a breach occurs. Regular audits of what’s stored in these environments, and prompt rotation of any exposed credentials, are essential hygiene steps.

Staff Training and Simulated Vishing Exercises 

Security awareness training should go beyond basic email phishing tactics. Simulated vishing calls can prepare staff to recognise and report this sort of suspicious behaviour. 

Staff should also be trained to question unexpected MFA approval requests, even when they appear to come from a colleague.

Continuous SaaS Monitoring and Log Auditing 

Audit logs from platforms such as Salesforce and Microsoft 365 should be actively monitored for unusual activity, including unexpected connected app approvals, or mass data exports. 

Third-Party and Supply Chain Risk Management

Telus Digital’s breach shows that your security posture is only as strong as your suppliers’. You should assess the security controls of any third party that handles your data, understand what credentials or access they hold on your behalf, and ensure contractual obligations around incident notification are in place.

Incident Response Planning and Containment 

Preparedness is key. You should have documented procedures in place for revoking app permissions, isolating compromised accounts and containing SaaS based breaches. 

For organisations using BPO providers, this monitoring should extend to how those third parties handle your data.

Defensive Implications for UK Organisations

Identity is now the frontline. If attackers control authentication, perimeter security becomes irrelevant. Updated information about ShinyHunter’s latest attacks strengthens the case for several defensive measures:

  • Adopt phishing-resistant MFA such as FIDO2 security keys or passkeys
  • Harden identity platforms with conditional access, device trust and anomalous login detection
  • Train staff specifically for vishing and MFA fatigue scenarios, not just email phishing
  • Monitor identity and SaaS logs continuously, including connected apps and SSO activity
  • Extend security assessments to include third-party and supply chain risk
  • Prepare rapid response playbooks for identity compromise and BPO vendor incidents

shinyhunters cybercriminal gang

The Convergence of Cybercriminal Gangs 

Not only is this criminal gang a threat to businesses, but the threat landscape is further evolving as cybercriminal gangs begin to collaborate rather than compete. 

Mid-2025, it emerged that ShinyHunters, Scattered Spider and Lapsus$ are increasingly pooling their skills, creating a new wave of combined attacks that raise the stakes for every organisation. 

ShinyHunters, Scattered Spider and Lapsus$ 

While ShinyHunters focus on data theft, groups like Scattered Spider are known for highly effective social engineering against well known brands such as Marks and Spencer, Co-op, Harrods and Jaguar Land Rover.  

Lapsus$ takes a slightly different approach. This group has a track record of aggressive extortion campaigns.  

The risk of the convergence of these groups is that each group brings a different area of expertise to the table. This increases the threat they pose to businesses as a single coordinated gang.  

Emergence of Scattered Lapsus$ Hunters 

Recent intelligence suggests these groups are beginning to collaborate, forming what some researchers call “Scattered Lapsus$ Hunters”. This convergence allows them to combine their skills, creating hybrid campaigns that are harder to detect, and therefore harder to defend against. 

Implications for UK Businesses 

For organisations, this means the threat landscape is becoming more complex. Attacks are no longer siloed by group tactics. Instead, businesses may face blended campaigns that combine social engineering, data theft and extortion in a single operation. 

How DigitalXRAID Protects You from ShinyHunters Style Threats 

Successfully defending against groups like ShinyHunters requires more than basic security tools. At DigitalXRAID, our Security Operations Centre operates 24/7 to monitor, detect and respond to emerging threats at any time of the day or night.  

DigitalXRAID offers services across all three pillars of cyber security: Offensive, Defensive and Compliance, for a more comprehensive protection strategy. Services include: 

  • Managed SOC that can provide continuous monitoring of SaaS environments and APIs. 
  • Social Engineering assessments to prepare staff for phishing and vishing attempts. 
  • Penetration Testing of SaaS and cloud applications. 
  • Third-party and supply chain security assessments.
  • Threat Intelligence that tracks the changing TTPs and targets for groups like ShinyHunters. 

With CREST, NCSC and CHECK accreditations, plus expertise in compliance frameworks including ISO 27001 and NIS2, we give you confidence that your organisation is protected against today’s most active threat actors. 

Ransomware attacks - ShinyHunters

Final Thoughts: Protecting Your Business Against ShinyHunters 

ShinyHunters have demonstrated that no organisation is beyond their reach. From Google to Gucci to Telus Digital, their campaigns show the scale and impact that a single breach can have.  

The Telus Digital incident is a sobering example of just how long the tail of a cyberattack can be. Credentials stolen in 2025 opened the door to a near-petabyte data theft in 2026, affecting not just Telus but potentially dozens of its enterprise clients. That’s the supply chain risk materialising in real time.

While their methods may vary across their attacks, the consistent themes are social engineering, SaaS exploitation and monetisation through extortion or resale. A layered approach that includes staff awareness, continuous monitoring, third-party risk management and expert threat intelligence is essential.

By working with a trusted partner like DigitalXRAID, you can ensure your organisation is prepared to respond to and recover from ShinyHunters style attacks now and into the future. 

Get in contact with DigitalXRAID if you’re looking for support on your cyber security strategy and protection approach.  

FAQs About ShinyHunters 

What is ShinyHunters? 

ShinyHunters is a cybercriminal group known for large scale data theft and extortion. Since 2020, they have breached global brands including Google, Gucci, Dior, Adidas and Telus Digital, stealing customer and corporate data which is later sold on the dark web or used in ransom demands that have reached as high as $65 million.

How does ShinyHunters carry out cyberattacks? 

They rely on social engineering, especially vishing attacks, to trick employees into granting access. They also exploit stolen credentials from previous breaches to access cloud environments and SaaS platforms, using tools like TruffleHog to mine datasets for further secrets and pivot laterally across connected systems.

Why are ShinyHunters considered such a serious threat? 

The group is dangerous because it bypasses technical security tools by exploiting people and reusing credentials across campaigns. Their supply chain attack approach means your exposure may come from a supplier, not a direct attack on your own organisation.

What happened in the Telus Digital breach?

ShinyHunters breached Telus Digital, a Canadian business process outsourcer, by using Google Cloud Platform credentials stolen during the earlier 2025 Salesloft Drift attack. The group claims to have exfiltrated close to one petabyte of data, including customer support records, call centre data, source code and consumer call recordings belonging to Telus and its clients. Telus Digital confirmed the incident and is working with law enforcement and forensic experts to investigate.

Who are the Scattered Lapsus$ Hunters? 

The Scattered Lapsus$ Hunters is a term for the alliance between ShinyHunters, Scattered Spider and Lapsus$. This convergence combines social engineering, data theft and extortion, making attacks more sophisticated and harder to detect. 

Which industries are targeted by ShinyHunters? 

ShinyHunters are industry-agnostic. They have attacked luxury retail, airlines, technology, financial services and business process outsourcing. Any organisation that stores high-value customer or business data, or that works with third-party providers who do, is at risk.

How can I protect my business from ShinyHunters?  

You should enforce phishing-resistant MFA, restrict third-party SaaS app installations, audit credentials stored in cloud and SaaS environments, train staff with simulated vishing exercises, and monitor SaaS and identity logs continuously. You should also assess the security controls of any third-party vendors that handle your data. A Managed SOC such as DigitalXRAID provides 24/7 monitoring, incident response and threat intelligence against ShinyHunters style attacks.

Previous Article

Penetration Testing Methodology

Next Article

Cost of Pen Testing Uncovered

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert

cybersecurity experts
x

Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]
DigitalXRAID
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.