ShinyHunters Vishing: 40 Million Records Stolen From Charter and 400 Organizations

Retool's new app builder is where AI-generated code ships safely
Building apps with AI is easy. Getting them to production safely is another story.
Charter Communications confirmed on May 26, 2026 that 40 million customer records were stolen after a ShinyHunters vishing SaaS extortion attack compromised an employee's Microsoft Entra account on April 1. The attackers used the access to export millions of consumer and business records from Charter's Salesforce instance, stealing customer names, addresses, phone numbers, plan data, and CPNI details before demanding a ransom under threat of full public disclosure.
ShinyHunters is a financially motivated extortion group active since 2019, now operating through three distinct tracked clusters: UNC6661 and UNC6671 for initial access operations, and UNC6240 for post-intrusion extortion and negotiation. The group functions as a loose criminal ecosystem whose current 2026 campaign is the most expansive in its history, with Mandiant and Google's Threat Intelligence Group tracking confirmed breaches at over 400 organizations across telecom, education, healthcare, retail, and financial services. The May 7, 2026 breach of Canvas/Instructure added 275 million education records from 330 institutions to the group's stolen dataset.
The ShinyHunters vishing SaaS extortion attack chain does not exploit software vulnerabilities. It exploits human beings. Every confirmed 2026 breach began with a phone call, not a CVE. Attackers call employees, impersonate IT support staff, and walk targets through entering credentials on fake SSO portals that capture Okta session tokens and MFA codes in real time. If your workforce uses Okta, Microsoft Entra, or any SaaS-integrated SSO platform with push-based or SMS MFA, this campaign is targeting your organization right now.
How Does the ShinyHunters Vishing SaaS Extortion Attack Work?
The ShinyHunters vishing SaaS extortion attack executes in five distinct phases, each engineered to bypass a specific layer of enterprise security before the next phase begins.
Phase 1: Reconnaissance and target selection. ShinyHunters operators identify targets using LinkedIn data to map employees in IT support, helpdesk, and identity management roles. They build victim-branded phishing portals that replicate the target organization's internal SSO login page, registering domains following predictable patterns: <companyname>sso[.]com, <companyname>okta[.]com, <companyname>internal[.]com, support-<companyname>[.]com. UNC6661 registers infrastructure on NICENIC; UNC6671 uses Tucows. Domain registrations appear within hours of selecting a new target.
Phase 2: Vishing the employee. Attackers call a targeted employee, impersonating IT staff and claiming the company is updating MFA settings or responding to an account anomaly. Using specialized real-time phishing kits, they direct the victim to the spoofed SSO portal while maintaining verbal contact throughout the session. The kits capture SSO credentials, MFA one-time codes, and push notification approvals as the victim enters them. For Okta environments, the attacker registers their own MFA device to the victim's account before the call ends.
Phase 3: Deleting the evidence. Immediately after gaining access, attackers authorize ToogleBox Recall, a third-party Google Workspace add-on, to delete all "Security method enrolled" and "New MFA device registered" notification emails from the victim's inbox. In Microsoft 365 environments, Exchange rules auto-delete authentication alerts. The victim never sees the notification confirming the attacker's device registration.
Phase 4: SaaS pivoting and data exfiltration. With a valid, persistent SSO session, attackers move through the victim's SaaS ecosystem. Confirmed exfiltration targets include Salesforce, SharePoint, OneDrive, Slack, Google Workspace, DocuSign, and Anodot. At Charter Communications, attackers used the compromised Entra session to export 40 million records directly from Salesforce. At Canvas, previously stolen Anodot authentication tokens were reused to access 275 million education records across 330 institutions.
Phase 5: Extortion. Ransom emails specify the stolen data volume, a Bitcoin payment address, and a 72-hour payment deadline. Victims who do not respond face DDoS attacks, direct harassment of personnel via SMS messages, and public posting of stolen data samples to the ShinyHunters-branded data leak site that launched in January 2026. Where victims still do not pay, full datasets are auctioned on criminal forums.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Scale and Active Targeting: Which Organizations Are Being Breached?
ShinyHunters' 2026 campaign is the group's largest coordinated operation in its seven-year history. Over 400 organizations across 13 sectors have been compromised, with new confirmed victims appearing weekly throughout April and May 2026.
The confirmed 2026 victim list includes Charter Communications (40 million records, disclosed May 26), Canvas/Instructure (275 million education records across 330 institutions, May 7), 7-Eleven (185,000 customers), ADT via Salesforce, Harvard, Princeton, Wynn Resorts, Betterment, Crunchbase, and SoundCloud. SecurityWeek confirmed unauthorized access at Atlassian, Canva, Epic Games, HubSpot, Moderna, WeWork, and ZoomInfo as part of the broader campaign.
Google's Mandiant GTIG tracks three distinct operational clusters. UNC6661 uses NICENIC-registered infrastructure and Tox for ransom negotiations, hosting proof samples on Limewire. UNC6671 runs parallel vishing operations with Tucows-registered domains, different Tox identifiers, and aggressive harassment tactics including threatening employees directly. UNC6240 handles post-intrusion extortion and maintains the ShinyHunters-branded data leak site. Silent Push attributes the combined campaign to "Scattered LAPSUS$ Hunters," an operational merger drawing members from Lapsus$, Scattered Spider, and the original ShinyHunters group.
This is not targeted spear-phishing at a handful of high-value organizations. The group runs parallel campaigns against dozens of companies simultaneously. Any enterprise using Okta, Microsoft Entra, or Google Workspace SSO with push-based or SMS MFA is within the active targeting profile.
The 2024 Snowflake campaign, which yielded the Ticketmaster breach affecting 560 million records and AT&T's full call logs, established that ShinyHunters-linked operators chain stolen credentials across the SaaS ecosystem at scale. The TanStack supply chain attack that exposed developer credentials on the dark web demonstrates how downstream credential markets from breaches like these feed the next wave of vishing reconnaissance.
Briefings like this, every morning before 9am.
Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.
ShinyHunters TTPs Mapped to MITRE ATT&CK
Mandiant and Google GTIG's analysis of the ShinyHunters vishing SaaS extortion campaign maps to nine MITRE ATT&CK techniques, all of which execute without exploiting a single software vulnerability.
T1598.004, Spearphishing Voice (Vishing): Attackers call employees using spoofed caller IDs, impersonating IT support. Calls target helpdesk staff, new employees less familiar with security protocols, and employees listed in IT or identity management roles on LinkedIn. Real-time phishing kits allow the attacker to control the entire authentication flow while maintaining verbal contact with the victim.
T1539, Steal Web Session Cookie: The phishing kits capture Okta session tokens, Microsoft Entra refresh tokens, and Google Workspace session cookies as victims authenticate on spoofed portals. These tokens are imported directly into attacker-controlled browsers, bypassing MFA verification entirely.
T1556.006, Modify Authentication Process: Multi-Factor Authentication: Operators register attacker-controlled MFA devices to victim accounts during the vishing call itself, establishing persistent access that survives password resets. This single action converts a temporary phishing session into a long-term persistent foothold.
T1078, Valid Accounts: All post-initial-access activity uses the victim's own authenticated session. Detection tools relying on credential anomalies struggle when attackers use legitimate tokens routed through VPN services including Mullvad, Oxylabs, 9Proxy, NetNut, Infatica, and nsocks to blend into enterprise security tooling.
T1530, Data from Cloud Storage Object: Attackers conduct bulk downloads from SharePoint, OneDrive, Google Workspace, and Salesforce, searching for documents containing terms including "poc," "confidential," "internal," "proposal," "vpn," and PII fields. Charter's Salesforce export and Canvas's Anodot-linked record theft both followed this pattern precisely.
T1562 / T1114.003, Impair Defenses and Email Collection: ToogleBox Recall (Google Workspace) and Exchange inbox rules delete all MFA enrollment and security alert notifications, preventing the legitimate account holder from detecting the intrusion for days or weeks.
The Gentlemen ransomware active campaign demonstrated criminal groups achieving nation-state intrusion quality through structured affiliate networks. ShinyHunters demonstrates the parallel threat: technically simple initial access paired with systematic evidence destruction delivering enterprise-scale data theft without touching a single CVE.
“This is not a vulnerability-based attack. It relies entirely on social engineering effectiveness, underscoring the critical importance of adopting phishing-resistant authentication methods.”
Mandiant GTIG, Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft, 2026
ShinyHunters IOCs: Infrastructure Indicators to Block Today
The following indicators are confirmed by Mandiant GTIG, Huntress, and forensic analysis of active ShinyHunters intrusions. Ingest all IP addresses into SIEM, EDR, and perimeter controls immediately.
Confirmed UNC6661 and UNC6671 infrastructure IPs:
- 24.242.93[.]122 (ASN 11427), UNC6661 operational infrastructure
- 149.50.97[.]144 (ASN 201814), UNC6661 operational infrastructure
- 142.127.171[.]133 (ASN 577), UNC6671 operational infrastructure
- 23.234.100[.]107, UNC6661/UNC6240 associated extortion infrastructure
VPN and proxy ASNs used to blend access with legitimate traffic: Alert on Okta or Entra sign-ins from Mullvad VPN, Oxylabs residential proxy, 9Proxy, NetNut, Infatica, or nsocks ASN ranges. The Mandiant GTIG detection query specifically targets these as anonymized IP indicators in Okta logs. Blocking or requiring step-up authentication for these ASN ranges closes the post-initial-access camouflage layer.
Domain registration pattern monitoring:
Any domain registered in the last 30 days matching <yourbrand>sso.com, <yourbrand>okta.com, <yourbrand>internal.com, support-<yourbrand>.com, or <yourbrand>access.com indicates an in-progress or planned ShinyHunters campaign targeting your organization. Configure Google Workspace and Microsoft 365 alerts for first-use events from these domain patterns.
ToogleBox Recall OAuth authorization event: A Google Workspace OAuth authorization event for "ToogleBox Recall" in any account is a confirmed intrusion indicator. This add-on has no legitimate enterprise use case and its presence confirms ShinyHunters or copycat TTPs in the environment.
Subscribe to unlock Indicators of Compromise
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Which Sectors Face the Highest Exposure to ShinyHunters Extortion?
ShinyHunters does not restrict its targeting to specific industries, but the 2026 campaign data reveals clear patterns in sector exposure based on SaaS stack architecture and SSO configuration maturity.
Telecommunications is the current highest-profile target following the Charter Communications breach confirming 40 million records stolen. Telecom organizations hold CPNI data, customer financial records, and network infrastructure access credentials, making the extortion value extremely high per victim. Any carrier or managed service provider running Salesforce with Okta or Entra SSO and push-based MFA carries the same attack surface Charter exposed.
Education technology has suffered the most volume-intensive breach. The Canvas/Instructure compromise across 330 institutions exposed 275 million student and faculty records. Educational institutions typically have broader user populations, less mature security operations, and more users susceptible to helpdesk-impersonation vishing, particularly student workers in IT roles.
Software and technology firms face elevated risk because a single compromised Okta tenant can provide access to dozens of downstream SaaS integrations via OAuth. Confirmed 2026 targets include Atlassian, Canva, HubSpot, and ZoomInfo. A breach at a SaaS vendor creates cascading exposure for every customer with active OAuth app integrations.
Healthcare and pharmaceutical organizations face double exposure: HIPAA-regulated patient data and high-value research data. Confirmed 2026 targets include Moderna and multiple healthcare institutions in the Okta vishing campaign.
Financial services firms including Betterment face account takeover risk that extends beyond data theft into direct financial fraud via compromised advisor and client account access.
Any organization running Okta, Microsoft Entra, or Google Workspace with push-based or SMS MFA and active Salesforce integration should treat this campaign as a present, ongoing threat today regardless of sector.
Immediate Defensive Steps Against ShinyHunters Vishing Attacks
Organizations using Okta, Microsoft Entra, or Google Workspace SSO must complete the following steps before end of business today. ShinyHunters' current campaign rate means new organizations are being confirmed as breached every 24 to 48 hours.
Subscribe to unlock Remediation & Mitigation steps
Free subscribers unlock full IOC lists, Sigma detection rules, remediation steps, and every daily briefing.
Why ShinyHunters Vishing SaaS Extortion Matters for Your Organization
The Charter Communications confirmation on May 26, 2026 marks the most significant ShinyHunters disclosure of the year, but the breach happened 56 days before it became public. In those 56 days, 40 million customers were exposed with no opportunity to change passwords, monitor accounts, or take protective action. That 56-day gap is not a Charter Communications failure specific to their organization. It is the standard detection timeline when attackers use valid credentials, delete enrollment notifications, and operate entirely within authorized SaaS sessions.
ShinyHunters vishing SaaS extortion attacks expose a structural vulnerability in how enterprises built their security architectures. Organizations have layered on SaaS tools, SSO platforms, and cloud storage without proportionally hardening the human access layer. FIDO2 phishing-resistant authentication solves the exact technical failure ShinyHunters exploits. The technology exists. It is widely available and supported by Okta, Microsoft, and Google natively. And it is the one control that would have prevented every confirmed 2026 ShinyHunters breach.
Three facts define the immediate risk level. First, the group is confirming new breaches multiple times per week with no signs of deceleration through May 2026. Second, exfiltration happens within hours of initial access, meaning detection after the vishing call ends is typically too late to prevent data theft. Third, the 72-hour extortion clock means organizations that detect a breach after the fact face an immediate ransom decision rather than a standard incident response timeline.
The window for non-emergency action is today. Enforce FIDO2 for all privileged and IT accounts by end of week. Disable self-service MFA device enrollment today. Audit third-party OAuth app authorizations today. Organizations that complete these three controls eliminate the specific attack surface ShinyHunters exploits in every confirmed 2026 intrusion.
The bottom line
ShinyHunters vishing SaaS extortion has breached 400+ organizations in 2026, stealing 40 million Charter Communications records and 275 million Canvas education records without exploiting a single software vulnerability. Every confirmed intrusion began with a phone call to a helpdesk employee. Three actions before end of day: enforce FIDO2 phishing-resistant MFA for all IT and privileged staff now, disable self-service MFA device enrollment in Okta and Entra today, and audit all Google Workspace OAuth app authorizations for ToogleBox Recall. If ToogleBox Recall is authorized in any account, that account is compromised and incident response begins immediately.
This analysis is generic — the platform version scores threats like this against your own stack.
Frequently asked questions
What is ShinyHunters?
ShinyHunters is a financially motivated cybercrime group active since 2019, specializing in large-scale data theft and extortion targeting SaaS platforms and cloud environments. The group operates as a loose criminal ecosystem tracked by Mandiant GTIG across three clusters: UNC6661 and UNC6671 for initial access operations via vishing and credential harvesting, and UNC6240 for post-intrusion extortion and negotiations. Silent Push attributes the 2026 campaign to 'Scattered LAPSUS$ Hunters,' a merger drawing members from Scattered Spider, Lapsus$, and the original ShinyHunters group.
How does a ShinyHunters vishing attack work?
ShinyHunters vishing attacks begin with a phone call in which attackers impersonate IT support staff and direct employees to fake SSO portals that capture Okta or Microsoft Entra credentials and MFA codes in real time. Specialized phishing kits allow attackers to control the authentication flow remotely while verbally coaching victims to approve MFA push notifications or enter one-time codes. Attackers then register their own MFA device on the victim's account, authorize ToogleBox Recall to delete security notification emails, and begin bulk data exfiltration from Salesforce, SharePoint, and Slack within minutes of establishing access.
Which companies has ShinyHunters breached in 2026?
Confirmed 2026 ShinyHunters victims include Charter Communications (40 million records, disclosed May 26), Canvas/Instructure (275 million education records across 330 institutions), 7-Eleven (185,000 customers), ADT, Harvard, Princeton, Wynn Resorts, Betterment, Crunchbase, and SoundCloud. Unauthorized access was confirmed at Atlassian, Canva, Epic Games, HubSpot, Moderna, WeWork, and ZoomInfo. The full confirmed victim count exceeds 400 organizations. In 2024, ShinyHunters-linked operators breached Ticketmaster (560 million records) and AT&T via the Snowflake credential campaign.
How can I detect ShinyHunters activity in my environment?
Detect ShinyHunters activity by alerting on: Okta or Entra sign-ins from Mullvad, Oxylabs, 9Proxy, NetNut, Infatica, or nsocks VPN ASNs; Google Workspace OAuth authorizations for ToogleBox Recall, which is a confirmed intrusion indicator with no legitimate use case; bulk document downloads of 50 or more files within five minutes from SharePoint or Google Drive; deletion of MFA enrollment notification emails; and MFA device registrations from anonymized or proxy IPs. Block the four confirmed infrastructure IPs: 24.242.93[.]122, 149.50.97[.]144, 142.127.171[.]133, and 23.234.100[.]107.
What is the difference between ShinyHunters and Scattered Spider?
ShinyHunters and Scattered Spider are distinct but operationally overlapping groups. Scattered Spider (UNC3944) is a social engineering collective that gained notoriety for SIM swapping and vishing attacks targeting MGM Resorts and Caesars Entertainment in 2023. ShinyHunters is a financially motivated data theft group active since 2019 focused on cloud and SaaS exfiltration. Silent Push's 2026 analysis attributes the current vishing campaign to 'Scattered LAPSUS$ Hunters,' an operational merger drawing tactics, infrastructure, and personnel from Scattered Spider, ShinyHunters, and the earlier Lapsus$ extortion group. All three share vishing and SSO credential theft as core TTPs.
Does phishing-resistant MFA stop ShinyHunters attacks?
Yes. FIDO2 hardware security keys and passkeys are technically immune to the ShinyHunters vishing attack method. FIDO2 performs a cryptographic domain verification handshake that fails silently on any spoofed SSO portal regardless of how convincing it appears, because the attacker's domain does not match the registered origin. Push-based MFA and SMS one-time codes were explicitly and reliably bypassed in every confirmed 2026 ShinyHunters intrusion. Mandiant, Okta, and every incident responder involved in this campaign have converged on FIDO2 as the single most effective control.
What data does ShinyHunters steal and how do they extort victims?
ShinyHunters exfiltrates data from Salesforce (customer records and CRM data), SharePoint and OneDrive (internal documents, proposals, and VPN access files), Slack (internal communications), Google Workspace, and DocuSign. Attackers search specifically for documents containing 'confidential,' 'internal,' 'poc,' 'proposal,' 'vpn,' and PII fields. Extortion demands arrive via email with the stolen data volume, a Bitcoin payment address, and a 72-hour payment deadline. Victims who do not pay face DDoS attacks, direct SMS harassment of employees, and full data publication on the ShinyHunters data leak site or criminal forum auctions.
Is ShinyHunters a nation-state group?
No. ShinyHunters is a financially motivated criminal group without confirmed nation-state affiliation or direction. Arrested affiliates include a French national named Sebastien Raoult, who was extradited to the United States, and four individuals arrested in France in 2025. The group operates as a loose criminal ecosystem motivated by data theft and extortion revenue. While TTPs overlap with some nation-state social engineering operations, attribution by Mandiant, Huntress, and law enforcement consistently identifies ShinyHunters as a financially motivated criminal network.
Sources & references
- BleepingComputer, Charter confirms data breach after ShinyHunters extortion threat
- Google Cloud / Mandiant GTIG, Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft
- SecurityWeek, Over 100 Organizations Targeted in ShinyHunters Phishing Campaign
- Huntress, ShinyHunters Threat Actor Profile: TTPs, IoCs and Attacks
- Cybersecurity Dive, ShinyHunters escalates tactics in extortion campaign linked to Okta environments
Free resources
Critical CVE Reference Card 2025–2026
25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.
Ransomware Incident Response Playbook
Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.
Get threat intel before your inbox does.
50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.
Unsubscribe anytime. We never sell your data.

Founder & Cybersecurity Evangelist, Decryption Digest
Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.
Win a $2,495 Black Hat pass.
Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.
