ShinyHunters-Linked Cybercrime Campaign Targets Over 100 Major Organizations A recent cybercrime campaign attributed to the ShinyHunters group has targeted at least 100 organizations across multiple sectors, including software, finance, healthcare, and energy, according to cybersecurity firm Silent Push. Over the past 30 days, threat actors registered fake domains impersonating high-profile companies such as Atlassian, Adyen, Canva, Epic Games, HubSpot, Moderna, ZoomInfo, GameStop, WeWork, Halliburton, Sonos, and Telstra. The attackers employed voice phishing (vishing) tactics to compromise single sign-on (SSO) accounts, particularly those using Okta and other identity platforms. Using specialized phishing kits, they intercepted credentials and manipulated victims into bypassing multi-factor authentication (MFA) by convincing them to approve push notifications or submit one-time passcodes (OTPs). Okta described the attacks as involving real-time session orchestration, where threat actors guided victims through the authentication process via verbal instructions. While Silent Push identified the infrastructure used in the campaign, it remains unclear whether the attacks successfully breached any systems. However, ShinyHunters has claimed responsibility for data breaches at companies like Betterment, Crunchbase, and SoundCloud, all of which confirmed incidents. The group allegedly stole millions of records from these organizations as part of the Okta SSO vishing campaign. Silent Push attributes the campaign to Scattered LAPSUS$ Hunters, a collective formed last year by members of Lapsus$, Scattered Spider, and ShinyHunters, based on observed tactics, techniques, and procedures (TTPs). The incident follows recent warnings from Google and others about rising vishing and phishing attacks targeting identity platforms.

A security breach has exposed the financial and personal data of Gamestop's online customers. Clients received postal letters from the corporation, which also stated that the credit card or bank card information of an unspecified number of online clients had been compromised. Hackers gained access to names, addresses, card numbers, expiration dates, and the three-digit card verification values (CVV2). The corporation claims that neither retail customers nor the PoS systems at the company stores were compromised by the security vulnerability."

GameStop.com website suffered from a data breach incident in February 2017. The compromised information includes customer card number, expiration date, name, address and card verification value (CVV2), usually a 3-digit security code printed on the backs of credit cards. They immediately reported the incident to the bank that issued the card because payment card network rules generally state that cardholders were not responsible for unauthorized charges.

The Washington State Office of the Attorney General reported a data breach involving GameStop, Inc. on June 5, 2017. The breach occurred due to unauthorized access to its computer network, potentially exposing the personal and financial information of 27,956 Washington residents between August 10, 2016, and February 9, 2017.