Investigation Links ShinyHunters to Broad Vishing Campaign Targeting Over 100 Organizations

🇺🇸United States🇦🇺Australia🇳🇱Netherlands

Software & TechnologyFinancial ServicesBiotech & PharmaReal EstateEnergy & UtilitiesHealthcareLogistics & TransportationManufacturingRetailInsurance

Tue, Jan 27, 2026

A security firm tracing suspicious domains and operational fingerprints reports a coordinated phishing and vishing operation that focused on at least 100 organisations over about a month, spanning technology, finance, healthcare, energy and other sectors. Investigators observed infrastructure intended to impersonate corporate services and intercept employee credentials; the attackers relied heavily on telephone-based social engineering to pressure account owners into bypassing protections. The technical core of the campaign was browser-resident scripts and specialised phishing toolkits that permitted operators to steer active authentication sessions while engaging the victim by voice, increasing the likelihood that push prompts would be approved or one-time codes disclosed. Researchers linked portions of the activity to a public-facing leak group known for publishing stolen data and attribute parts of the operation to a hybrid collective formed from prior extortion and access-for-sale groups. Several well-known companies were identified as targets; some later reported records released by the actors, though not every claimed intrusion has been independently corroborated by forensic teams. Platform vendors and identity providers have flagged similar attack chains before, noting that bespoke phishing kits now automate credential capture and session orchestration. Complicating the picture, investigators also pointed to a contemporaneous but separate disclosure of an unsecured infostealer cache containing an estimated 149 million username/password pairs exfiltrated from compromised endpoints. That dataset—spanning consumer email, social media, streaming services and many cryptocurrency-related accounts—underscores how device-level compromise supplies attackers with the raw material for credential stuffing and makes social-engineering lures more convincing. Analysts warn the two trends are complementary: endpoint-derived credential caches feed bulk and targeted attacks, while live vishing and session manipulation convert contextual knowledge into immediate account takeover. Because some data releases remain publicly accessible, response efforts are strained by the need to remediate both compromised sessions and broad re-use of credentials across services. The incident shifts the emphasis for defenders from focusing solely on anomalous logins to integrating telephony-fraud signals, endpoint telemetry and transaction-level fraud detection into authentication monitoring. Organisations that rely on federated identity and SSO are particularly exposed, since a successful real-time orchestration attack can grant wide downstream access; defenders are urged to prioritise hardware-backed MFA, endpoint hygiene, session revocation, and proactive scanning for exposed credentials in underground markets.

PREMIUM ANALYSIS

Read Our Expert Analysis

Create an account or login for free to unlock our expert analysis and key takeaways for this development.

By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.

Free Access

No Payment Needed

Join Thousands of Readers

Recommended for you

Cybersecurity

Global cyber-espionage campaign breaches sensitive targets in 37 countries

A coordinated, long-duration hacking campaign has established persistent access to high-value government and diplomatic networks in 37 countries, prioritizing intelligence collection over immediate disruption. The operation leverages polymorphic tooling, credential harvesting and social-engineering techniques that complicate detection and raise urgent needs for identity-focused defenses and cross-border incident coordination.

Cybersecurity

Dutch intelligence warns Russian campaign targeting Signal and WhatsApp

Dutch intelligence agencies alert that Russian-linked actors are employing support-chat impersonation to harvest recovery codes and PINs for Signal and WhatsApp , while separate Russian notices and provider actions underline a broader pattern: adversaries exploit both account-recovery flows and metadata, and defensive throttling or authentication measures can themselves produce short-term operational disruptions.

Cybersecurity

U.S. Panera Bread Customer Data Dumped After ShinyHunters Exploit Microsoft Entra SSO

ShinyHunters published a large archive of customer contact data it says was taken from Panera Bread after a failed extortion attempt, claiming about 5.1 million unique email addresses within an asserted 14 million-record haul. Researchers say the Panera intrusion matches a wider, telephone-based social-engineering trend—real-time vishing paired with browser phishing toolkits—and a separate unsecured infostealer cache of roughly 149 million credentials that together amplify risks of credential stuffing and targeted account takeover.

Cybersecurity

Moonlock Lab: ClickFix Campaigns Leverage Fake VCs and Extension Hijack

Researchers link a coordinated ClickFix-style campaign that combines professional-identity impersonation with hijacked browser extensions to trick victims into pasting and executing clipboard payloads; the delivery chain has been observed installing a Python RAT on selected enterprise hosts and affected an estimated 7,000 extension users. The episode highlights converging supply‑chain and social‑engineering playbooks — from fake VC recruiting pages to crash‑then‑paste extension tricks — and calls for stronger extension vetting, developer-account controls and clipboard/shell telemetry.

Cybersecurity

Massive 149M credential trove exposes risks from infostealer malware to crypto and government accounts

A researcher found a publicly accessible collection of roughly 149 million stolen logins harvested by credential-stealing malware, including hundreds of thousands tied to major crypto platforms and numerous government-related accounts. The exposure stems from infected end-user devices rather than platform breaches, but it raises urgent questions about account hygiene, phishing risk, and detection across the crypto and social-media ecosystems.

Cybersecurity

Global: Over 1,400 Internet‑Accessible MongoDB Instances Compromised in Low‑Value Extortion Campaign

Threat researchers at Flare found roughly 1,416 publicly reachable MongoDB instances altered by an extortion campaign that replaced data with payment demands. Although attackers sought about $500 per victim in cryptocurrency, blockchain checks show only around $400 in receipts, indicating limited financial success despite wide exposure.

Cybersecurity

Google flags intensifying cyber campaigns against the global defense supply chain

Google’s Threat Intelligence Group alerts that coordinated cyber campaigns against firms and personnel in the defense industrial base are increasing, combining long‑dwell implants, commodity exploit reuse, and LLM-assisted social engineering. The advisory urges identity‑first controls, extended cross‑domain telemetry to suppliers and staff, hardware-backed MFA and governed agentic automation to shorten attackers’ windows and blunt supply‑chain impact.

Cybersecurity

Madison Square Garden confirms breach linked to Oracle EBS campaign

Madison Square Garden has confirmed a customer data breach tied to the Oracle E-Business Suite intrusion campaign that targeted over one hundred enterprises; personally identifiable information including Social Security numbers was reportedly exposed. The incident traces to an August 2025 exfiltration, public naming by the extortion group in November, and notification activity by MSG in early 2026 — amplifying risks for organizations using hosted Oracle EBS instances.