Search results for: Shinyhunters

ShinyHunters continues to wreak havoc against well-known brands; most recently, Wynn Resorts. Wynn Resorts has confirmed that “an unauthorized third party acquired certain employee data.” It is believed that the threat actor was ShinyHunters. Fortunately for Wynn, the incident is not affecting its operations, and its resorts remain fully functional.

ShinyHunters announced it was the culprit on its leak site on February 20, 2026. It alleges that it stole more than 800,000 records, including Social Security numbers. Wynn was removed from the site four days later, and reported that “the unauthorized third party has stated that the stolen data has been deleted.”

Wynn has confirmed that it will be offering credit monitoring and identity protection services to affected employees.

Wynn is not alone in being a target of ShinyHunters. It is reported that over 100 organizations have been successfully attacked through vishing attacks and compromised single sign on credentials by ShinyHunters.

The techniques used by ShinyHunters and other threat actors using vishing campaigns are relevant and provide strong current scenarios to warn employees through education and training, and to use for cybersecurity tabletop exercises.

Security professionals rely on the implementation of multifactor authentication (MFA) to defend against phishing attacks and intrusions. Unfortunately, we can’t completely rely on MFA to protect us as threat actors (more specifically, ShinyHunters) are now targeting companies in technology, financial services, real estate, energy, healthcare, logistics, and retail with synchronized vishing-phishing attacks.

The newest attacks involve the threat actors pretending to be IT staff who called employees to tell them that the company was updating MFA settings. While on the phone with the employee, the threat actor directed them to a malicious credential harvesting site that spoofed the company to capture the employees’ single sign on credentials and MFA codes, then registered their device for the MFA push.

The threat actors cover their tracks and bypass security notices. Once they gain access to the company system, they download sensitive data and extort ransoms from companies and harass employees.

It is crucial that companies continue to educate employees on the newest cybersecurity threats and schemes so they can identify them and prevent themselves from becoming victims. The use of sophisticated vishing and phishing schemes like the one described above are unusual and many users don’t understand how combining vishing and phishing can be very powerful and successful. Incorporate these recent threats into your next cybersecurity training or company-wide cyber tip.

Sophisticated vishing (voice phishing) attacks continue to target and victimize company call centers and help desks. Recently, a large ad tech company reported that customer information had been compromised as a result of a vishing attack. The company warns that the information obtained in the incident can be used by threat actors to conduct phishing and vishing attacks against customers through the use of emails, texts or telephone numbers.

The attackers, believed to be ShinyHunters (again), use similar tactics in their attacks against companies in all industries. The threat actor, impersonating a company’s information technology employee, calls company employees, (often a help desk or call center), and tricks them into entering credentials and multifactor authentication (MFA) codes on phishing sites that mimic the company’s portal, or asks them to assist the “employee” with changing his or her credentials to access the company network. They also use device code vishing to bypass MFA defenses. Once they have access to the company network, and access to the data the impersonated employee had access to, they often escalate privileges and exfiltrate data to use against the company in an extortion campaign.

These attacks continue to escalate and call centers and help desks are central to thwarting them. Companies may wish to consider immediate additional training and education for in-house call center and help desk personnel, update processes for employees to change credentials through voice requests, implement more robust identification requirements (including using internal company information that only employees would have access to), and conducting tabletop exercises on how to respond to them.

A newly filed putative class action in the Western District of Texas targets Bumble, Inc., over an alleged “massive and preventable” cyberattack in or around January 2026, in which attackers allegedly accessed highly sensitive user data stored in Bumble’s systems. The complaint alleges the compromised information included names, dates of birth, addresses, telephone numbers, Social Security numbers, and account numbers, as well as highly sensitive, context-rich dating data such as chat history and dating history, the kind of data combination that can heighten identity-theft risk and privacy harms. The named plaintiff alleges time loss, anxiety, and increased risk of fraud and identity theft, and seeks damages and injunctive relief on behalf of the individuals whose information was stored and/or exposed in the breach. 

For companies watching this case, the “what went wrong” allegations read like a checklist of avoidable security and communications failures. The complaint claims Bumble promised “appropriate and reasonable security measures” (including secured servers and firewalls) in its public-facing privacy policy but allegedly did not adhere to those claims. The complaint further alleges the breach occurred through a phishing attack attributed to the “ShinyHunters” threat actor group, and argues that the fact of a successful phishing compromise suggests inadequate security controls pointing to measures like organization-wide two-factor authentication and adequate employee cybersecurity training as known safeguards. The complaint also alleges that Bumble failed to properly secure and encrypt data, failed to implement timely breach detection, and failed to provide prompt and accurate notice.

The takeaway is that privacy policy statements, phishing training failures, encryption decisions, breach detection, and notification practices can quickly become central allegations in a class action when a security incident occurs. Even at this stage, this lawsuit is a reminder that aligning written privacy and security commitments with day-to-day implementation, and documenting those efforts, can be just as important as the technical controls themselves when an incident triggers litigation.

We continue to alert our readers to the uptick and successful use of vishing attacks against companies. Threat actors continue to be creative in developing strategies to use vishing to gain access into systems.

According to Cyberscoop, (a publication that I read religiously), Mandiant has confirmed that “multiple cybercrime groups,” including ShinyHunters, are “combining voice calls and advanced phishing kits to trick victims into handing over access” to company systems. The scary thing about this new wave of vishing attacks is that threat actors are using sophisticated vishing campaigns to compromise single sign on (SSO) credentials, then “enroll threat actor controlled devices into victim multifactor authentication solutions.” This effectively bypasses well-known security tools used by companies to prevent unauthorized access into their systems.

Once threat actors gain access, they move into the company’s SaaS environment to exfiltrate data and then launch extortion campaigns. In addition,

Cybercriminals are registering custom domains that mimic legitimate single sign-on portals used by targeted companies, then deploying tailored voice-phishing kits to call victims while remotely controlling which pages appear in the victim’s browser. This lets the attackers sync their spoken prompts with multifactor-authentication requests in real time, increasing the likelihood the victim approves or enters the needed codes on cue.

In response to these attacks, Okta released threat intelligence confirming that it has seen “multiple phishing kits developed” to use with other SSO and cryptocurrency providers. To be clear, this is not a vulnerability with the SSO products, but a scary way for threat actors to dupe users into providing credentials.  

Due to the success of these new vishing campaigns using SSO, now is the time to remind your users about vishing, how it works, the newest ways threat actors are trying to get users to provide their credentials, and how SSO can give the threat actors the keys to the kingdom.

Indian news outlet Inc42 has reported that the ShinyHunters hacking group found some shiny objects when it was able to compromise the personal information of hundreds of thousands of individuals using the crypto exchange BuyUCoin.

The hackers were able to compromise and subsequently leak a BuyUCoin database that contained names, telephone numbers, email addresses, tax identification numbers and bank account information of users. Different reports say that the number of users who were affected by the compromise ranges from 161,000 to 325,000 users.

Although BuyUCoin initially denied the reports, it recently indicated that it is investigating and that no user funds had been affected.