ShinyHunters

ShinyHunters leaked 13.5 million McGraw Hill user accounts after exploiting a misconfigured Salesforce-hosted webpage to extract internal data. The leak — totalling 100GB+ of PII across customer-account records — followed the same operational pattern as the group's mid-2024 Snowflake-customer wave: credential-replay or misconfiguration exploitation against a cloud-data platform, mass exfiltration, and public extortion via leak-forum posting. McGraw Hill is one of several confirmed 2026 Salesforce-platform victims; researchers assess the broader campaign as ongoing.

Operators self-styling as 'Scattered Lapsus$ Hunters' — an explicit cross-brand merger of ShinyHunters, Scattered Spider, and Lapsus$ — launched a Salesforce-themed data- leak site naming 39 victim companies and claiming 1B+ stolen records in aggregate. Confirmed names on the site included Disney/Hulu, Toyota, Adidas, FedEx, Marriott, Google, Cisco, McDonald's, Walgreens, Instacart, HBO Max, Cartier, Air France-KLM, IKEA, TransUnion (4.4M consumer records), and others. Initial access vectors split between malicious-OAuth-app social engineering and exploitation of misconfigured public-facing Salesforce sites. The U.S. government later seized the leak-site domain; victim additions continued through Q1 2026.

Mandiant documented a sustained credential-stuffing campaign — tracked as UNC5537 with significant overlap to ShinyHunters — against Snowflake customer tenants lacking MFA. Credentials were harvested from prior infostealer infections on contractor and employee laptops, then replayed against ~165 Snowflake instances. The campaign produced the year's biggest data-breach headlines: Ticketmaster (560M records), Santander (30M customers across Spain / Chile / Uruguay), AT&T (call/SMS metadata for ~109M subscribers), Neiman Marcus, Advance Auto Parts, Pure Storage, and others. Alleged ringleader Connor Riley Moucka ('Judische') was arrested in Ontario on 30 October 2024.