ShinyHunters Strikes Again: A Trail of High-Profile Leaks and "Vishing" Chaos in 2026

ShinyHunters Strikes Again: A Trail of High-Profile Leaks and "Vishing" Chaos in 2026

The notorious threat collective ShinyHunters (tracked by Mandiant as UNC6240) has officially ended its brief hiatus, unleashing a wave of data dumps and sophisticated extortion campaigns that have hit everything from luxury retail to massive tech hubs.

In the last 48 hours, the group has dominated dark web headlines, proving that even after high-profile arrests in previous years, the "Shiny" brand remains one of the most effective—and dangerous extortion machines in the ecosystem.

The Valentine's Day Leak: Canada Goose in the Crosshairs

Over the weekend, ShinyHunters published a 1.67 GB dataset on their Tor leak site, allegedly containing over 600,000 customer records from luxury outwear brand Canada Goose.

The leaked data includes:

The Plot Twist: Canada Goose has publicly denied a fresh breach of their internal systems.

The company claims the data originates from a "historical dataset" of past transactions.

However, for the affected users, the distinction is minor; the data is out there, and it is ripe for highly targeted spear-phishing.

Beyond Retail: The SaaS and "Dating App" Spree

Canada Goose is just the latest trophy.

Since January 2026, ShinyHunters has been on an absolute tear, claiming successful hits on:

The Technical Edge: "Live Phishing" and Vishing

What makes the 2026 version of ShinyHunters particularly lethal is their move away from complex software exploits in favor of social engineering at scale.

According to reports from Okta and Mandiant, the group is utilizing "Live Phishing Panels" combined with phishing (voice phishing).

The attack flow is a masterclass in psychological manipulation:

"This isn't a vulnerability in the software; it's a vulnerability in the workflow," says one security researcher.

"They are orchestrating the browser session live while talking the victim through it."

Hacklido Analysis: The Identity-Centric Threat

For the Hacklido community, the takeaway is clear: Traditional MFA (SMS and Push) is no longer a "hard" defense.

ShinyHunters has industrialized the bypass of these controls.

The Collaboration: Intelligence suggests ShinyHunters may be collaborating with members of Scattered Spider and Lapsus$ under a new umbrella collective sometimes referred to as SLSH (Scattered LAPSUS$ Hunters).

The Focus on SaaS: The group is targeting Salesforce, Microsoft 365, and Slack specifically because these platforms hold the "crown jewels" of corporate intelligence—contracts, internal Slack logs, and PII.

How to Protect Your Perimeter

If you are defending an enterprise environment in 2026, the standard playbook needs an update: Team Hacklido ❤️ Join our Community – https://t.me/hacklido