ShinyHunters Claims Data Breaches at Panera Bread, CarMax, Edmunds, and More The extortion group ShinyHunters has alleged large-scale data theft from multiple organizations, including Panera Bread, CarMax, and Edmunds, as part of a broader campaign targeting corporate credentials. According to claims reviewed by The Register and shared on the dark web, the group exfiltrated over 14 million records from Panera Bread including names, email addresses, phone numbers, and account details totaling 760 MB of compressed data. CarMax and Edmunds were also reportedly breached, with 500,000+ records (1.7 GB) and "millions" of records (12 GB), respectively, containing similar personally identifiable information (PII). ShinyHunters stated it accessed Panera’s systems via a Microsoft Entra single-sign-on (SSO) code, while the CarMax and Edmunds breaches stemmed from earlier, unrelated intrusions. The group’s claims align with previous activity by Scattered Lapsus$ Hunters, a linked threat actor that posted CarMax data on a now-defunct leak site last fall, citing compromises in Salesforce environments. The campaign extends beyond these three companies. Last week, ShinyHunters added Crunchbase, SoundCloud, and Betterment to its list of victims, claiming over 50 million records stolen in total. Access to Crunchbase and Betterment was reportedly gained through voice-phishing attacks targeting Okta SSO credentials, a tactic Okta warned about in recent advisories. Betterment confirmed an unauthorized intrusion on January 9, where attackers used social engineering to access third-party marketing platforms and send fraudulent crypto-related messages to customers. Security researchers have observed the group’s expanding operations. Silent Push reported that ShinyHunters’ latest credential-stealing campaign targeted around 100 organizations in the past 30 days, though it remains unconfirmed how many attacks succeeded. Meanwhile, Mandiant is tracking a "new, ongoing ShinyHunters-branded campaign" leveraging voice-phishing to harvest SSO credentials. None of the named companies Panera Bread, CarMax, Edmunds, Crunchbase, or Betterment have publicly responded to the claims. Microsoft and Google stated they had no indication their products were directly affected by the phishing campaign. The incidents underscore the growing threat of social engineering attacks bypassing multi-factor authentication (MFA) to compromise corporate systems.

Edmunds Data Breach Exposes 146K User Records in ShinyHunters Attack The notorious cybercrime group ShinyHunters has claimed responsibility for a data breach at Edmunds, a major U.S.-based car shopping platform, allegedly exposing sensitive user information. According to a post on a popular data leak forum, the breach occurred in January 2026, with attackers releasing a sample of 186,000 unique email records though the full dataset reportedly affects 146,000 users. Security researchers at Cybernews analyzed the leaked data and confirmed its legitimacy. The exposed information includes account passwords, some of which were poorly secured either stored in base64 hashes (a weak encryption method long discouraged by experts) or left unhashed entirely. The presence of duplicate passwords suggests the actual number of compromised credentials may be lower than claimed. ShinyHunters, known for high-profile breaches including last year’s Salesforce CRM attack that enabled large-scale data theft across multiple organizations could exploit the stolen data for credential stuffing, account takeovers, or social engineering attacks. Given password reuse habits, exposed credentials may grant attackers access to other services beyond Edmunds. Edmunds, owned by used-vehicle retailer CarMax, serves hundreds of thousands of users. The company has not yet responded to requests for comment. The breach underscores persistent risks tied to weak password storage and the far-reaching consequences of credential leaks in an era of rampant cybercrime.

ShinyHunters Expands Vishing Campaign Targeting High-Value Organizations with Advanced Phishing Kits Okta researchers have uncovered a surge in voice-based social engineering attacks linked to the notorious extortion group ShinyHunters (also tracked as UNC6040), which has targeted over 100 high-value organizations in the past month. The group’s latest campaign leverages real-time phishing kits and hybrid vishing techniques to bypass multi-factor authentication (MFA) and steal credentials, session tokens, and sensitive data. ### How the Attack Works ShinyHunters employs "Live Phishing Panels" automated tools that enable man-in-the-middle (MitM) attacks on login sessions. Attackers impersonate IT support, guiding victims through fake MFA prompts while dynamically adjusting phishing pages to match legitimate authentication flows. For example: - If a victim receives a push notification, the attacker instructs them to expect it, then manipulates the phishing site to display a fake confirmation. - If the MFA method requires a one-time code, the attacker either provides the correct number (obtained in real time from the legitimate site) or modifies the phishing page to display it. This approach defeats even push-based MFA, which was designed to counter automated phishing attacks. ### Recent Data Breaches Linked to ShinyHunters The group has claimed responsibility for data leaks from multiple companies, including: - Dating apps: Hinge, Match, OkCupid, and Bumble (though Match Group stated no financial or login data was compromised). - Other victims: SoundCloud, CrunchBase, Betterment, CarMax, Edmunds.com, and Panera Bread. While the exact breach methods remain unconfirmed, researchers note the attacks align with ShinyHunters’ known tactics, including: - Credential theft via phishing kits. - Session token hijacking for SSO platforms like Okta. - Data exfiltration from SaaS applications. ### Broader Impact & Response Okta’s advisory highlights a rise in similar attacks targeting Okta, Microsoft, and Google accounts, driven by commercial phishing kits optimized for voice-based social engineering. Cybersecurity firm Hudson Rock confirmed the leaked data matches ShinyHunters’ previous claims, reinforcing the group’s credibility. Companies are advised to: - Verify IT support calls through official channels. - Audit OSS provider logs for suspicious device enrollments or new IP logins. ShinyHunters, active since 2020, has a history of breaching major brands, often through employee account compromise. The latest campaign suggests an expansion of targets, with potential for further data leaks.

On August 19, 2025, Edmunds.com suffered a data breach involving its proprietary messaging tool used by automobile dealers and customers. The breach, detected by a third-party vendor, exposed seventeen text messages containing personally identifiable information (PII), including names, Social Security numbers, credit card details, and driver’s license information. The compromised data belonged to individuals engaged in vehicle purchase communications, posing risks of identity theft and financial fraud. While the breach was limited in volume, the sensitivity of the exposed data—particularly SSNs and financial records—heightens the potential for severe consequences, including unauthorized account access, credit fraud, and long-term identity exploitation. Edmunds responded by offering 24 months of credit monitoring, dark web surveillance, $1M identity theft insurance, and recovery services to affected individuals. The delayed disclosure (reported to authorities on November 14, 2025) and the nature of the stolen data underscore significant reputational and financial risks for both the company and its customers.

Edmunds.com, a leading automotive information platform acquired by CarMax in 2021, experienced a data breach on August 19, 2025, due to unauthorized access to a vendor-operated messaging system used by car dealers and customers. The breach exposed highly sensitive personally identifiable information (PII), including names, Social Security numbers, credit card details, and driver’s license information of affected individuals. While no immediate misuse was confirmed, the exposure of such data poses severe risks of identity theft, financial fraud, and long-term reputational harm to victims. Edmunds offered 24-month credit monitoring and identity protection services via IDX, but the incident has prompted a class-action lawsuit investigation by Shamis & Gentile P.A., as victims may be entitled to compensation for damages, lost time, and inconvenience. The breach underscores vulnerabilities in third-party vendor systems and the critical need for robust data protection measures in industries handling consumer financial and personal data.