Snowflake Customer Campaign (2024)

In mid-2024, ShinyHunters exploited stolen contractor credentials — not a vulnerability in Snowflake's platform itself — to access cloud data belonging to Snowflake customers. This campaign resulted in the theft and sale of data from Ticketmaster (560M records), Santander Bank (30M records), AT\&T (109M call records — AT\&T paid a $370,000 ransom to delete the data), Neiman Marcus (31M records), and dozens of other organizations. The group used a distinctive tool signature called "RapeFlake" during this operation.

Salesloft/Drift Salesforce Campaign — Largest SaaS Breach in History (Aug–Sep 2025)

ShinyHunters used the TruffleHog open-source security tool to scan source code repositories, discovering OAuth tokens for the Salesloft Drift email platform. Using those tokens, the group accessed approximately 760 Salesforce customer organizations between August 8–18, 2025, exfiltrating roughly 1.5 billion records across Account, Contact, Case, Opportunity, and User data tables. Confirmed victims included Cloudflare, Workiva, Zscaler, Tenable, CyberArk, Elastic, BeyondTrust, Proofpoint, JFrog, Rubrik, Cato Networks, and Palo Alto Networks. Google's Threat Intelligence team tracked this activity as UNC6395 and confirmed awareness of over 700 potentially impacted organizations.

Gainsight Salesforce Campaign (Nov 2025)

In a near-identical follow-up, ShinyHunters stole OAuth tokens from Gainsight's Salesforce integration and accessed approximately 285 Salesforce instances (200+ confirmed by Google). Victims included Atlassian, DocuSign, F5, GitLab, Malwarebytes, SonicWall, Thomson Reuters, and Verizon. Salesforce revoked all associated OAuth tokens and temporarily removed related AppExchange applications during the incident.

Okta SSO / Enterprise Vishing Campaign (Jan 2026)

Operating as UNC6661 and UNC6671, ShinyHunters impersonated IT support staff to trick employees at targeted organizations into entering Okta SSO credentials and MFA codes on custom victim-branded phishing portals. Post-access, attackers exfiltrated data from SharePoint, OneDrive, Salesforce, and Slack. In some incidents, the ToogleBox Recall Gmail add-on was silently authorized to delete MFA enrollment notification emails. Confirmed victims include Wynn Resorts, Odido, Panera Bread, Betterment, Grubhub, Harvard University, Princeton University, and University of Pennsylvania.

Salesforce Aura Exploitation Campaign (Mar 2026)

In March 2026, Salesforce issued a security advisory warning of a "known threat group" exploiting misconfigurations in Salesforce Experience Cloud (Aura). ShinyHunters claimed responsibility on their DLS, warning approximately 400 victim companies — including Snowflake, Okta, LastPass, and Salesforce itself — to pay or face data leaks. The group used a modified version of Google's AuraInspector Chrome extension alongside a custom-developed scanning tool. The user-agent string "RapeForce" was observed, mirroring the earlier Snowflake campaign's "RapeFlake" signature.

Instructure/Canvas Breach (Apr–May 2026)

ShinyHunters exploited previously-stolen credential tokens from Anodot to gain access to Instructure's Free-for-Teacher environment — related to support ticket handling — and steal 275 million records (3.65TB of data) from Canvas, one of the world's most widely used learning management systems used by more than 9,000 institutions. After a second wave of unauthorized access on May 7, 2026 defaced Canvas login portals at approximately 330 institutions with extortion messages, Instructure reached a ransom agreement with the group by May 12, 2026 to prevent data leakage. The company confirmed no passwords or course content were compromised.