Tracking the Expansion of ShinyHunters SaaS Data Theft - Seguridad Mania.com - España y América Latina

Over the past several months, the threat clusters associated with the ShinyHunters cybercriminal brand have dramatically shifted their focus from traditional perimeter breaches to the aggressive targeting of identity providers and SaaS integrations. By leveraging sophisticated voice phishing (vishing) and victim-branded credential harvesting sites, these actors are successfully bypassing traditional multi-factor authentication (MFA) to compromise single sign-on (SSO) credentials and hijack high-value OAuth tokens. In this briefing, on April 16, 2026 at 1:00 p.m. Eastern/10:00 a.m. Pacific, we will provide a look at the evolution of these financially motivated campaigns. This session will cover: -An overview of the actors behind the ShinyHunters brand, including the tactics, techniques, and procedures (TTPs) of clusters like UNC6040, UNC6661, and UNC6240. -The group's shift toward the SaaS supply chain where stolen OAuth tokens were used to exfiltrate data from Salesforce, Snowflake, and Google Workspace. -How the actors use vishing to masquerade as IT helpdesk staff to trick employees into authorized malicious device enrollments or data loader connections. -The escalation of extortion tactics, which now include ransom demands exceeding $20 million in Bitcoin and threats of physical harassment or swatting against victim personnel. -Strategic defense strategies for the retail and hospitality sectors focusing on moving toward phishing-resistant MFA like FIDO2 security keys and implementing strict app authorization policies. CPE Credit 1 Group A CPE Credit