The "traditional" ransomware playbook—encrypting servers and demanding a ransom for the key—is increasingly taking a backseat to a more surgical, identity-focused threat. This week, the cybersecurity community is dissecting a massive wave of data theft claims from the ShinyHunters group (often associated with the "Scattered LAPSUS$ Hunters" banner).
The headline figures are staggering: the cybercriminal group claims to have exfiltrated 10 million records from Match Group (owners of Tinder, Hinge, and OkCupid) and 14 million records from the bakery-café giant Panera Bread.
But for security professionals, the real story isn't just the volume of data; it's the method of entry and the expanding radius of the blast zone.
Reports from Mandiant and Microsoft indicate that these breaches are part of a broader, ongoing campaign targeting more than 100 organizations. The attackers aren't exploiting zero-day software vulnerabilities; they are exploiting the human element through sophisticated "vishing" (voice phishing).
The TTPs (Tactics, Techniques, and Procedures) are as follows:
-
Vishing: Attackers call employees pretending to be IT or Help Desk staff, claiming a need to "update MFA settings" or "troubleshoot SSO issues."
-
Real-time phishing kits: They direct victims to look-alike login portals (e.g., sso-company-internal.com). These portals use real-time kits to capture credentials and session tokens.
-
MFA bypass: By capturing the token or using "MFA bombing" (inundating a user with push notifications until they click "Approve"), they bypass traditional multi-factor authentication.
-
Lateral movement in SaaS: Once inside the Single Sign-On (SSO) environment (Okta, Microsoft Entra), they move laterally into SaaS applications—Slack, Google Drive, Salesforce, and AppsFlyer—to harvest PII and internal documents.
For Match Group and Panera Bread, this is a "SaaS-reach" rather than a traditional network breach.
-
Internal exposure: Beyond customer data, ShinyHunters claims to have stolen "hundreds of internal documents." For a corporation, this can include strategic roadmaps, legal communications, and sensitive employee data, providing a blueprint for future social engineering or corporate espionage.
-
Legal & regulatory fallout: Panera is already facing a proposed class-action lawsuit (filed in late January 2026) alleging negligence in protecting customer data. Following its previous 2024 breach, the company's "repeat offender" status could lead to much higher regulatory fines and settlement costs.
-
Reputational fragility: Match Group's brands rely on user trust regarding deeply personal interactions. While they maintain that "private chats" were not accessed, the mere association of a dating profile with a data leak can be enough to drive users away from a platform.
If your organization relies on SSO and SaaS—which is to say, almost everyone—the ShinyHunters campaign is another wake-up call.
-
From hygiene to identity: Traditional "patching" won't save you here. The priority must shift to Identity Threat Detection and Response (ITDR).
-
Phishing-resistant MFA: Security teams must accelerate the transition to FIDO2-compliant hardware keys or passkeys. Push-based MFA is no longer enough to stop a determined social engineer.
-
Monitoring "Shadow SaaS": This campaign highlights how attackers use API integrations and SaaS-to-SaaS connections to exfiltrate data quietly without ever touching the internal corporate network.
The consequences for customers depend heavily on the "flavor" of the data stolen.
-
Panera customers: The risk here is primarily identity enrichment. Fourteen million records containing names, emails, and home addresses will be sold on dark web forums to help other criminals build more convincing phishing profiles. "Jane Q. Public" might receive a scam text that includes her home address, making it far more likely she'll believe it's a legitimate communication from her bank or a delivery service.
-
Match Group users: The risk is personal and psychological. In the world of dating apps, data leaks can lead to doxxing or extortion. Even if "private chats" remain secure, knowing that someone was active on a specific dating app can be leveraged by malicious actors for harassment or "outing" individuals in sensitive personal or professional situations.
We asked experts from cybersecurity vendors for their perspectives.
Venky Raju, Field CTO at ColorTokens, said:
-
"ShinyHunters have elevated vishing attacks to a new level of sophistication, successfully deceiving even experienced users. The urgency of a call from HR or IT can short-circuit normal caution, leading users to trust fake login pages. Because the attacker authenticates with the legitimate SSO portal in real time, even push-based MFA offers little protection. Organizations should move toward passwordless authentication methods such as passkeys or digital signature-based systems."
-
"Identity-based lateral movement should be a wake-up call for SSO providers. With great power comes great responsibility—simply offering a menu of MFA options atop passwords is no longer enough. SSO vendors must lead by implementing strong, phishing-resistant passwordless authentication as the default."
Shane Barney, CISO at Keeper Security, said:
-
"In campaigns like this, the initial compromise is not technical. It's procedural. An attacker convinces a user or help desk staff to take an action that is already permitted, such as approving an MFA prompt, resetting access or assisting with an SSO issue. That interaction enables the attacker to establish a valid authenticated session using captured credentials or tokens."
-
"From that point forward, the attacker is not breaking into SaaS platforms. They are signing in. Accessing collaboration tools, exporting files or querying marketing and CRM systems often falls within the permissions the identity already has. Because those actions are legitimate for the account, they can blend into normal activity."
-
"This is where detection becomes difficult. When identity misuse stays within assigned permissions, traditional rule-based alerts and retrospective log review often lack the context or timeliness needed to distinguish normal behavior from abuse. There may be no clear policy violation to flag, even as data is quietly collected over time."
-
"The takeaway is not that MFA is ineffective. It's that recovery workflows, session duration, and post-login access often receive far less scrutiny than infrastructure. Once an identity is authenticated, many environments place few constraints on how that access is used over time, particularly across SaaS platforms."
-
"Privileged Access Management (PAM) and AI-powered threat detection and response counter the identity-centric tactics used in campaigns like ShinyHunters by shrinking the blast radius and spotting abuse in real time. PAM enforces least-privilege access, just-in-time elevation, and strong authentication for admin and service accounts, so even if credentials or session tokens are stolen through vishing or MFA fatigue, attackers’ movements are limited within the organization."
-
"Meanwhile, AI-driven detection analyzes behavioral signals to flag and act upon malicious activity in real time. Together, these controls turn identity from a single point of failure into a monitored, constrained surface, enabling security teams to detect, contain and revoke access before mass data exfiltration occurs."
