ShinyHunters: Inside the Hacker Group Targeting Your SaaS Data (And How to Stop Them)

🔑 TL;DR

• ShinyHunters is a financially motivated cybercriminal group active since 2020, responsible for breaching 400+ organizations across retail, tech, finance, aviation, and automotive sectors.
• They don't hack through walls; they exploit OAuth tokens, SaaS misconfigurations, supply chain integrations, and AI-powered voice phishing to walk through doors organizations left open.
• Their 2025–2026 campaign targeted Salesforce, Google, Workday, Louis Vuitton, Gucci, Adidas, Jaguar Land Rover, Coinbase, and Qantas - among many others.
• Traditional perimeter security doesn't stop them. The attack happens inside the SaaS layer.
• DoControl's identity-first, contextual, cross-SaaS data security platform detects and shuts down every method ShinyHunters relies on - before data leaves your environment.

Introduction

Google. Louis Vuitton. Adidas. Workday. Jaguar Land Rover. Coinbase. Qantas.

These aren't small companies with underfunded security teams. They are some of the most recognized, well-resourced organizations on the planet - and within the span of roughly twelve months, a single criminal group breached all of them.

What is most striking is how they did it. There were no exotic, impossible-to-understand exploits. In many of these attacks, no one "broke in" at all. 

Someone approved an app they shouldn't have, a token that should have expired didn't, a third-party vendor with too much access became the entry point for hundreds of downstream victims…In some cases, an employee simply answered the phone.

The group responsible is called ShinyHunters - and they are arguably the most consequential financially motivated hacking collective operating today. This article breaks down who they are, how they operate, what they have hit, and most importantly, what your organization can do to make sure you are not their next headline.

Who Is ShinyHunters?

ShinyHunters is a notorious black-hat cybercriminal group, believed to have formed in 2019, and gained notoriety in 2020. Specializing in large-scale data breaches, extortion, and selling stolen user data on the dark web, they are the most famous hacker group in 2026.

ShinyHunters is believed to have formed as early as 2019, emerging publicly in May 2020 when they appeared on dark web forums offering millions of stolen user records from more than a dozen companies - in a single two-week burst. 

From the start, the group has operated under a "pay or leak" model. When they breach an organization, they contact the victim privately with a ransom demand. If payment is refused, the stolen data is published on dark web forums or auctioned to the highest bidder. This model has proven brutally effective, and it has only grown more sophisticated over time.

The group operates under the leadership of a persona known as ShinyCorp - also referred to as sp1d3rhunters or shinyc0rp across Telegram channels. Google's Threat Intelligence Group (GTIG) tracks ShinyHunters-attributed activity under multiple threat clusters: UNC6040, UNC6240, and UNC6661, which allows researchers to differentiate between specific campaigns and operational roles within the broader organization.

ShinyHunters has not operated without consequence. In May 2022, Sébastien Raoult - a French programmer tied to the group - was arrested in Morocco and extradited to the United States. In January 2024, he was sentenced to three years in prison and ordered to return five million dollars. In June 2025, French authorities arrested four additional suspected members linked to BreachForums administration. 

Arrests have slowed the group temporarily, but have not stopped them. Operations continued through and after each law enforcement action.

What Is Their End Goal?

ShinyHunters’ motive is pure financial gain. 

This matters strategically. Because ShinyHunters operates like a business, they are predictable. They have pricing models, negotiation playbooks, affiliate programs, and - as of 2025 - what appears to be a product roadmap for ransomware-as-a-service.

The monetization lifecycle follows a consistent pattern:

1. Breach - gain unauthorized access via one of their core attack methods
2. Exfiltration - export as much high-value data as possible, often using automated bulk export tools
3. Private extortion - contact the victim with a ransom demand, often with proof of stolen data as leverage
4. Public escalation - if payment is refused, publish data on their leak site, notify journalists, regulators, and sometimes the victim's own customers
5. Secondary sales - sell remaining datasets on dark web markets to maximize revenue per breach

What Makes a Target Valuable? 

ShinyHunters gravitates toward organizations with three characteristics: large customer databases containing personally identifiable information, high-net-worth clientele whose data commands premium prices (luxury retail is a prime example), and cloud-based CRM or SaaS platforms that aggregate data from multiple organizations - allowing a single breach to yield dozens of downstream victims.

What Are Their Key Escalation Tactics? 

Their tactics have grown increasingly aggressive. Beyond data leaks, the Scattered Lapsus$ Hunters collective has documented practices including sending extortion messages publicly addressed to CEOs, launching DDoS attacks against victims' websites, and in some cases threatening - and reportedly carrying out - physical harassment of executives and their families.

How They Get In: ShinyHunters' 4-Part Attack Playbook

ShinyHunters does not rely on brute force or exotic technical exploits. Their playbook is built around access points that most organizations have already left open, their security team just hasn't looked. 

Each method below is distinct, but they are designed to work in combination. A misconfigured app enables a token theft. A token theft enables supply chain access. Supply chain access enables a breach at hundreds of downstream organizations. Understanding the full playbook is the first step to dismantling it.

Method 1) OAuth Token Abuse & Third-Party App Exploitation

Modern SaaS environments are defined by connectivity. Salesforce connects to Slack. Slack connects to Google Drive. Google Drive connects to dozens of productivity tools, AI assistants, and vendor integrations - each authorized through OAuth tokens that grant access on behalf of the user. 

ShinyHunters identified this interconnected SaaS ‘trust’ model as the most efficient attack surface in the enterprise. Their approach: compromise a single integration in the chain, steal the OAuth token it holds, and use that token to impersonate a legitimate user across every platform it has access to. 

Because OAuth tokens represent pre-authorized access, they bypass multi-factor authentication entirely. The attacker is not logging in - they are already trusted.

This method was central to the Salesloft Drift campaign of August 2025, in which ShinyHunters stole OAuth tokens from the Drift chatbot integration within Salesloft, instantly gaining unauthorized access to 760 Salesforce customer organizations. 

Method 2) SaaS Misconfiguration Exploitation

You do not need to exploit a vulnerability if the door is already open. ShinyHunters has built an entire campaign strategy around finding doors that enterprise security teams accidentally left unlocked - and in 2025 and 2026, two platforms have proven to be their most reliable targets: Salesforce Experience Cloud and Google Workspace.

The attack targets organizations that have deployed Salesforce Experience Cloud sites - customer portals, partner portals, community pages - with overly permissive guest user profiles. Salesforce has warned customers about this configuration risk for years. ShinyHunters built a systematic scanning operation around it.

Google Workspace presents a parallel - and equally exploitable - misconfiguration risk. In most enterprise environments, employees can connect third-party applications to their corporate Google Workspace account with broad OAuth permissions, unless administrators have explicitly restricted which apps are allowed, required admin approval for new authorizations, or blocked "Allow All" grant types. When those controls are absent or misconfigured, a single employee connecting an unvetted AI productivity tool or consumer app to their corporate identity can hand attackers access. 

Method 3) Supply Chain Compromise

ShinyHunters has mastered the economics of the supply chain attack. Rather than breaching 400 organizations individually, they breach one vendor those 400 organizations all trust - and collect the access automatically.

Their targets are the connective tissue of the modern SaaS stack: analytics providers, CRM integrations, chatbot platforms, data monitoring tools. Compromising one unlocks many.

The reach of a successful supply chain attack was illustrated clearly by the Salesloft Drift breach. Cloudfare, Zscaler, Palo Alto Networks, and Google were all victims of this specific incident. There were many more incidents like this. 

Method 4) Insider Recruitment & Credential Harvesting

ShinyHunters don't just attack organizations from the outside - they actively recruit people inside them. They solicit employees at target organizations directly, offering financial rewards in exchange for access credentials for Okta, Citrix VPN, Microsoft SSO, GitHub, and GitLab. 

Yes - you read that right. ShinyHunters recruits insiders to give them their credentials! Finance, insurance, aviation, telecoms, retail, and automotive sectors are all targeted explicitly.

Beyond active recruitment, the group runs a passive harvesting operation in parallel. ShinyHunters scans public GitHub repositories for hardcoded credentials and OAuth tokens left behind by developers. And, also targets high-privilege engineering accounts on various platforms - creating footholds deep inside development environments that can be leveraged for future supply chain attacks.

Method 5) AI-Powered Vishing (Voice Phishing)

The most human of ShinyHunters' methods is also, increasingly, the most scalable. Voice phishing - vishing -  with AI. Using legitimate AI voice platforms, the group has built automated social engineering agents capable of impersonating IT helpdesk staff.

The typical script: an attacker calls a corporate helpdesk or employee, impersonates IT or HR staff, and directs the victim to a legitimate-looking Salesforce or Okta login page. During the call, the victim is guided to enter a connection code or approve an app authorization - unknowingly granting the attacker's controlled application full access to their organizational account.

The AI dynamically adjusts its conversation based on the victim's responses - if the target pushes back, the agent pivots. If the target asks an unexpected question, the agent answers. The result is a convincing, human-sounding call that can be deployed at scale across hundreds of targets simultaneously.

This is exactly what happened in the Workday breach. By impersonating IT and HR personnel, hackers were able to trick employees into handing over personal information and account credentials. With that data, attackers infiltrated the customer support system, exposing sensitive details from support tickets - names, email addresses, and phone numbers of Workday customers - many of them being very well-known enterprise organizations. 

ShinyHunters' Top 10 Deadly Attacks 

No industry has been immune. The ten attacks below span retail, technology, human resources, finance, automotive, and aviation - and every one of them traces back to the same underlying vulnerability: a SaaS environment with too much trust and too little visibility.

‍

‍

1. Salesforce (2025) 

ShinyHunters combined vishing calls with modified versions of Salesforce's own Data Loader tool to authorize attacker-controlled applications and bulk-export CRM data. More than 200 Salesforce instances were confirmed compromised. 

The attack did not exploit any Salesforce vulnerability - it exploited the trust organizations place in connected apps and the humans who approve them.

2. Google (2025) 

On August 5, 2025, Google confirmed that a corporate Salesforce instance containing contact information for small and medium-sized business clients had been compromised by UNC6040/ShinyHunters activity. 

This confirmation triggered Google to urge 2.5 billion users globally to review their account security. Even the world's most sophisticated internal security apparatus couldn't stop it - because the attack targeted the SaaS layer, not Google's perimeter.

3. Salesloft Drift (2025) 

In a single supply chain operation between August 8–18, 2025, ShinyHunters stole OAuth tokens from the Drift chatbot integration within Salesloft, instantly gaining access to 760 downstream Salesforce customer environments. 

Security teams at hundreds of organizations had no warning - they had connected Drift as a trusted integration, and that trust became the attack vector. 

4. Workday (2025) 

Workday saw its employees targeted by ShinyHunters vishing campaigns in August 2025, resulting in unauthorized access to connected Salesforce environments. 

The attack was significant beyond the breach itself - Workday is integrated into the HR infrastructure of thousands of global enterprises, making it a high-value pivot point. 

5. Louis Vuitton / LVMH (2025) 

On July 2, 2025, Louis Vuitton confirmed a coordinated cyberattack linked to ShinyHunters, affecting customers across the United Kingdom, South Korea, Turkey, Italy, Sweden, Australia, and Hong Kong. 

The attackers maintained undetected access for nearly a month - a window that allowed comprehensive exfiltration of customer names, contact details, and purchase histories. Fellow LVMH brands Dior and Tiffany & Co. confirmed related breaches stemming from the same campaign vector.

6. Kering: Gucci, Balenciaga & Alexander McQueen (2025) 

ShinyHunters breached Kering in April 2025, claiming to have exfiltrated over 43 million records from Gucci alone and approximately 7.4 million unique customer records across Balenciaga, Brioni, and Alexander McQueen. 

Data samples shared with the BBC contained customer spending records ranging from $10,000 to $86,000 per individual - precisely the kind of high-net-worth data that commands premium prices on dark web markets. Kering confirmed the incident, refused to pay the ransom, and notified affected customers directly.

7. Adidas (2025) 

Adidas was among the confirmed victims of the ShinyHunters UNC6040 Salesforce vishing wave, alongside Google, Cisco, Workday, Pandora, and Chanel. 

The breach exposed customer personally identifiable information across multiple markets. It serves as a clear reminder that the attack vector - a Salesforce instance with insufficiently controlled connected apps - is entirely industry-agnostic.

8. Jaguar Land Rover (2025) 

Beginning August 31, 2025, the Scattered Lapsus$ Hunters collective launched what has been described as the most damaging cyberattack in British history, forcing Jaguar Land Rover to halt production at all global facilities for three weeks.

The attack originated in ShinyHunters social engineering campaigns run weeks earlier - stolen credentials providing the initial foothold into JLR's systems.

9. Coinbase (2026) 

In early 2026, ShinyHunters posted screenshots from Coinbase's internal support tools on Telegram - a "flash post" designed to signal access and pressure the company into paying. 

The underlying breach had been enabled by a contractor who improperly accessed customer account data, with hackers subsequently demanding a $20 million ransom. Coinbase refused to pay, instead offering a $20 million reward for information leading to the attackers' arrest - a textbook example of insider risk and external extortion operating in tandem.

10. Qantas (2025) 

In July 2025, Australian airline Qantas confirmed a cyberattack - later attributed to ShinyHunters - that exposed the personal data of approximately 5.7 million customers, including frequent-flyer data, contact information, and travel details. 

The breach was significant enough that Qantas executives took voluntary pay cuts in recognition of its impact. It extended the ShinyHunters pattern firmly into the aviation sector, reinforcing that the group's targeting follows data value, not industry vertical.

How DoControl Stops the Attacks ShinyHunters Depends On

ShinyHunters succeeds for one reason: most security tools are watching the perimeter while the attack happens inside the SaaS layer. 

Even if they are monitoring the SaaS layer, they can’t remediate the second a risk is detected or an insider performs a risky action.

DoControl is built specifically for the layer ShinyHunters targets. Here is how each core capability maps directly to the methods the group relies on.

1)  OAuth App Visibility & Third-Party Access Control

The ShinyHunters problem: 

OAuth token abuse and third-party integration compromise are the group's most productive entry points. Trusted apps with excessive permissions - often forgotten by the security team entirely - become the master key to an organization's SaaS environment.

What DoControl does: 

• DoControl builds a complete, real-time inventory of every OAuth application connected to your SaaS ecosystem - every app, every permission scope, every user who authorized it. 
• Security teams gain immediate visibility into which third-party apps have access to sensitive data, which permissions are excessive relative to their function, and which connections haven't been used in months. 
• When a new app is connected or an existing app's behavior changes - as it would if an attacker had compromised the integration - DoControl detects it instantly and can trigger automated revocation workflows that remove access across hundreds of thousands of assets in minutes, not days.

2)  SaaS Misconfiguration & Posture Management (SSPM)

The ShinyHunters problem: 

Salesforce Experience Cloud misconfigurations gave ShinyHunters unauthenticated access to CRM data at 300–400 organizations. Misconfigured OAuth applications and third-party tools open the floodgates to corporate Google Workspace instances. These platforms are not broken - the configurations are wrong, and no one notices.

What DoControl does: 

• DoControl continuously scans your SaaS configurations against security best practices, flagging drift before attackers find it. 
• Least-privilege access policies are enforced automatically, and configuration violations are surfaced with actionable remediation steps rather than buried in alert noise. 
• For organizations running Google Workspace, Microsoft 365, Salesforce, and Slack, DoControl provides the continuous posture management layer that ensures the doors you intend to close are actually closed.

3)  Identity Monitoring & Insider Threat Detection

The ShinyHunters problem: 

ShinyHunters actively recruits corporate insiders - contractors, employees, service desk staff - through Telegram channels. They also exploit contractors with lingering or overprivileged access long after their legitimate need has expired. The Coinbase breach illustrated both: an insider enabled unauthorized access, and ShinyHunters used the resulting data for extortion.

What DoControl does: 

• DoControl establishes a behavioral baseline for every user across your SaaS environment and continuously monitors for deviations - bulk downloads, off-hours access, unusual file sharing patterns, data movement to personal email domains.
• DoControl integrates with HRIS and IdP systems to enrich every risk signal with employment context. Is this user a contractor? Are they in their notice period? Did they change roles recently? Are they moving laterally? Why are they accessing that?
• Former employees with lingering access and open credentials are automatically identified and remediated before they become a liability.

5) Lateral Movement and Data Access Governance Across SaaS

The ShinyHunters problem: 

ShinyHunters don't stop at the first platform they access. Once inside Salesforce, they pivot to Slack. From Slack to Google Drive. Each hop is through a legitimate connected app permission - invisible to tools that monitor each platform in isolation.

What DoControl does: 

• DoControl provides cross-SaaS intelligence that tracks data flows and data access patterns across your entire application ecosystem as a unified picture. 
• When a user or connected application begins accessing platforms it has never interacted with before, or when data starts moving at volumes inconsistent with normal activity,
• DoControl surfaces the behavior in real time, and automated response workflows can quarantine files, revoke app permissions, or alert the security team - containing lateral movement before the attacker reaches the data they came for. 

6) Geolocation & Suspicious IP Detection

The ShinyHunters problem: 

ShinyHunters compromise accounts and assume the identities of real employees, and they also can use VPN obfuscation and operate from geographies that are inconsistent with their victims' normal user populations.

What DoControl does: 

• DoControl's geolocation-aware access monitoring flags activity that is inconsistent with a user's established access patterns - logins from unexpected countries, activity routed through known anonymous proxy networks, or sessions originating from IP ranges associated with threat infrastructure. 
  
  • When a Google Drive session for a New York-based account manager originates from Australia at 3am, DoControl detects it. 
• When the same credentials are used from two geographically impossible locations within minutes of each other, DoControl flags the impossible travel event. 
• These signals feed directly into automated review and revocation workflows, allowing security teams to act on suspicious access before data is exfiltrated - not after.

Key Takeaway? ShinyHunters exploit the gap between what organizations assume their SaaS environment looks like and what it actually is. DoControl closes that gap - with real-time visibility, identity-enriched detection, and automated remediation that operates at the speed of the threat.

Conclusion

ShinyHunters began as a group that sold stolen databases on dark web forums. Five years later, they are a sophisticated criminal ecosystem responsible for some of the most consequential data breaches in recent memory - compromising luxury brands, global airlines, automotive manufacturers, HR platforms, cryptocurrency exchanges, and the world's most prominent technology company, all within the same twelve-month window.

What makes them dangerous is not technical brilliance. It is their precise exploitation of the gap that exists in most organizations' security posture: the SaaS layer. 

Connected apps that accumulate permissions over time. Configurations that drift without oversight. Tokens that outlive their purpose. Identities that are trusted too broadly. These are not exotic vulnerabilities - they are the predictable byproducts of how modern organizations use SaaS, and ShinyHunters has built a business around them.

The good news? The attack surface ShinyHunters exploits is addressable. OAuth apps can be inventoried and governed. Misconfigurations can be detected before attackers find them. Insider risk can be quantified and managed with the right behavioral context. Lateral movement can be detected and stopped mid-chain. Suspicious access can be flagged and revoked in minutes.

It takes the right SaaS security tool to stop ShinyHunters.

Take DoControl's free SaaS Risk Assessment to see what data gaps you have open for exploitation. It could save you from being the next headline.

Sources 

• cloud.google.com/blog/topics/threat-intelligence
• https://cloud.google.com/blog/topics/threat-intelligence/expansion-shinyhunters-saas-data-theft 
• cloud.google.com/blog/topics/threat-intelligence/voice-phishing-data-extortion 
• https://en.wikipedia.org/wiki/ShinyHunters  
• thehackernews.com/search/label/ShinyHunters 
• https://blog.eclecticiq.com/shinyhunters-calling-financially-motivated-data-extortion-group-targeting-enterprise-cloud-applications 
• https://www.justice.gov/usao-wdwa/pr/member-notorious-international-hacking-crew-sentenced-prison