ShinyHunters Claims Data Breaches at Panera Bread, CarMax, Edmunds, and More The extortion group ShinyHunters has alleged large-scale data theft from multiple organizations, including Panera Bread, CarMax, and Edmunds, as part of a broader campaign targeting corporate credentials. According to claims reviewed by The Register and shared on the dark web, the group exfiltrated over 14 million records from Panera Bread including names, email addresses, phone numbers, and account details totaling 760 MB of compressed data. CarMax and Edmunds were also reportedly breached, with 500,000+ records (1.7 GB) and "millions" of records (12 GB), respectively, containing similar personally identifiable information (PII). ShinyHunters stated it accessed Panera’s systems via a Microsoft Entra single-sign-on (SSO) code, while the CarMax and Edmunds breaches stemmed from earlier, unrelated intrusions. The group’s claims align with previous activity by Scattered Lapsus$ Hunters, a linked threat actor that posted CarMax data on a now-defunct leak site last fall, citing compromises in Salesforce environments. The campaign extends beyond these three companies. Last week, ShinyHunters added Crunchbase, SoundCloud, and Betterment to its list of victims, claiming over 50 million records stolen in total. Access to Crunchbase and Betterment was reportedly gained through voice-phishing attacks targeting Okta SSO credentials, a tactic Okta warned about in recent advisories. Betterment confirmed an unauthorized intrusion on January 9, where attackers used social engineering to access third-party marketing platforms and send fraudulent crypto-related messages to customers. Security researchers have observed the group’s expanding operations. Silent Push reported that ShinyHunters’ latest credential-stealing campaign targeted around 100 organizations in the past 30 days, though it remains unconfirmed how many attacks succeeded. Meanwhile, Mandiant is tracking a "new, ongoing ShinyHunters-branded campaign" leveraging voice-phishing to harvest SSO credentials. None of the named companies Panera Bread, CarMax, Edmunds, Crunchbase, or Betterment have publicly responded to the claims. Microsoft and Google stated they had no indication their products were directly affected by the phishing campaign. The incidents underscore the growing threat of social engineering attacks bypassing multi-factor authentication (MFA) to compromise corporate systems.

ShinyHunters Expands Vishing Campaign Targeting High-Value Organizations with Advanced Phishing Kits Okta researchers have uncovered a surge in voice-based social engineering attacks linked to the notorious extortion group ShinyHunters (also tracked as UNC6040), which has targeted over 100 high-value organizations in the past month. The group’s latest campaign leverages real-time phishing kits and hybrid vishing techniques to bypass multi-factor authentication (MFA) and steal credentials, session tokens, and sensitive data. ### How the Attack Works ShinyHunters employs "Live Phishing Panels" automated tools that enable man-in-the-middle (MitM) attacks on login sessions. Attackers impersonate IT support, guiding victims through fake MFA prompts while dynamically adjusting phishing pages to match legitimate authentication flows. For example: - If a victim receives a push notification, the attacker instructs them to expect it, then manipulates the phishing site to display a fake confirmation. - If the MFA method requires a one-time code, the attacker either provides the correct number (obtained in real time from the legitimate site) or modifies the phishing page to display it. This approach defeats even push-based MFA, which was designed to counter automated phishing attacks. ### Recent Data Breaches Linked to ShinyHunters The group has claimed responsibility for data leaks from multiple companies, including: - Dating apps: Hinge, Match, OkCupid, and Bumble (though Match Group stated no financial or login data was compromised). - Other victims: SoundCloud, CrunchBase, Betterment, CarMax, Edmunds.com, and Panera Bread. While the exact breach methods remain unconfirmed, researchers note the attacks align with ShinyHunters’ known tactics, including: - Credential theft via phishing kits. - Session token hijacking for SSO platforms like Okta. - Data exfiltration from SaaS applications. ### Broader Impact & Response Okta’s advisory highlights a rise in similar attacks targeting Okta, Microsoft, and Google accounts, driven by commercial phishing kits optimized for voice-based social engineering. Cybersecurity firm Hudson Rock confirmed the leaked data matches ShinyHunters’ previous claims, reinforcing the group’s credibility. Companies are advised to: - Verify IT support calls through official channels. - Audit OSS provider logs for suspicious device enrollments or new IP logins. ShinyHunters, active since 2020, has a history of breaching major brands, often through employee account compromise. The latest campaign suggests an expansion of targets, with potential for further data leaks.