In May 2026, three major consumer brands disclosed data breaches within weeks of each other: Charter Communications, Carnival Corporation and 7-Eleven. Three different sectors with a combined confirmed exposure of more than 6 million customer records, and one group behind all of it: ShinyHunters.
The FBI had issued warnings. Mandiant had published research on the vishing campaign. The attack chain had been documented step by step across multiple incidents going back years. And the group continued to hit new targets.
Three breaches, one month
Charter Communications confirmed its breach on May 26. The attack itself began April 1, when ShinyHunters used a voice phishing call to compromise a Charter employee's Microsoft Entra account, then used that access to export records from the company's Salesforce instance. Charter confirmed the breach but stated that no sensitive personal information or customer proprietary network information was exfiltrated. The group claimed 40 million records. So, access was confirmed but the scope is disputed.
Carnival Corporation began notifying customers on May 27. The breach occurred on April 10, when an unauthorized actor compromised an employee account through a social engineering attack. The company identified the activity on April 14 and confirmed by April 22 that personal information had been copied. The 5,995,277 people notified had names, dates of birth, email addresses, genders, geographic locations, and Mariner Society loyalty program details exposed. ShinyHunters claimed 8.7 million records and terabytes of internal corporate data.
7-Eleven's breach became public in late May when Have I Been Pwned reported exposure of 185,300 unique records. The unauthorized access happened in early April, when ShinyHunters claimed to have breached 7-Eleven's Salesforce environment, taken more than 600,000 records, and published a 9.4GB archive after the company declined to pay. Exposed data included names, dates of birth, phone numbers, and physical addresses.
Key Facts
April 1 / confirmed May 26: Charter Communications. Vishing on Microsoft Entra account. Salesforce data exported. 40 million records claimed.
April 10 / confirmed May 27: Carnival Corporation. Social engineering on employee account. 5,995,277 customers notified. PII and loyalty program data exposed.
Early April / confirmed late May: 7-Eleven. Salesforce environment accessed. 185,300 confirmed records. 9.4GB archive published after ransom refused.
May 15, 2026: FBI issues public service announcement about ShinyHunters.
The playbook ShinyHunters keeps running
These three breaches are not isolated incidents. They are the latest entries in a much longer list. ShinyHunters has been running variations of the same attack since at least 2024, claiming more than 1.5 billion stolen Salesforce records across more than a thousand organizations. The group keeps using the same playbook because it keeps working.
The pattern has five steps. A phone call targets an employee, with the attacker impersonating IT support or a help desk. EclecticIQ's profile of the group documents the use of AI-powered voice platforms that generate convincing, real-time dialogue and adjust based on how the call develops. The employee, believing they are talking to internal IT, walks the attacker through authentication, including MFA.
Once inside, the compromised account's OAuth authorizations determine the blast radius. Any SaaS application that identity can reach is now reachable by the attacker. In some variants, the group uses OAuth device code phishing, which exploits the device authorization grant to trick targets into entering a code on a legitimate identity provider page. That code hands the attacker a valid access token and bypasses all MFA, including passkeys.
What follows is fast. Documented incidents show the group moving from initial access to complete exfiltration in under an hour, using native SaaS capabilities: bulk exports, downloads, connected app authorizations. Then the extortion demand. Payment or publication.
For a detailed breakdown of the technical attack chain, including the device code phishing and adversary-in-the-middle variants ShinyHunters has used across hundreds of victims, see our analysis of the ShinyHunters Salesforce campaign.
Why the existing defense model is not stopping it
The FBI issued a public service announcement about ShinyHunters on May 15, 2026. Mandiant, Push Security, ReliaQuest, and EclecticIQ have all published detailed research on the group and its methods. The attack chain is not a secret.
The May 2026 cluster happened anyway.
The reason is structural. Standard security tools log point-in-time events like logins, authentication states, firewall rules, configuration audits. When ShinyHunters compromises a real employee account and authenticates normally, those activities look clean. The session is valid. The credentials are real. The MFA completed successfully, because the employee completed it on the attacker's behalf.
The breach happens in what follows. Which SaaS applications does that authenticated session reach? What does it export? How much, how fast, and to where? Has that account ever behaved this way before?
Perimeter tools are not designed to answer those questions. API-to-API data movement does not pass through a firewall in any way that generates a useful signal. A bulk export triggered through a valid OAuth token does not produce a CASB alert. A connected app authorized during a vishing call looks, to most security tooling, identical to one the account owner authorized themselves.
The gap is not in authentication. It is in what happens after authentication succeeds. What is needed is runtime enforcement at the integration layer.
Vorlon's 2026 Agentic Ecosystem Security Gap report found that 99.4% of organizations experienced at least one SaaS or AI ecosystem security incident in 2025, despite running an average of 13 dedicated security tools. Charter, Carnival, and 7-Eleven are three more data points in that pattern. The tools were present. The attacks succeeded. The layer where these breaches happen is still largely outside what most organizations are monitoring, let alone enforcing against.
Why detection is not enough, and what enforcement changes
Detecting an anomalous export after the data has moved is not a defense. It is a forensics starting point.
The attacks on Charter, Carnival, and 7-Eleven followed the same post-authentication pattern: a compromised identity used valid OAuth access to reach connected SaaS applications and pull data at scale. The session looked legitimate by every measure standard tooling applies. What it was not is consistent with any behavioral baseline for that identity, that integration, or that data.
Enforcement at the integration layer means the export does not complete. Not because the account was locked, not because a ticket was opened in a SIEM, but because a policy applied at the protocol level stopped the action before it executed. A bulk record pull with no behavioral precedent, from an identity operating outside its normal scope, gets blocked. The session cannot export, cannot move data beyond its defined boundary, regardless of what the authenticated token technically permits.
Vorlon establishes per-entity behavioral baselines across every identity, integration, and connected SaaS service in the environment. An OAuth token operating outside its normal scope, a connected app authorized mid-session with no prior history, a data export pattern that has no precedent: those are enforcement triggers, not just detection signals. Vorlon Guardian applies controls at the protocol level. The action never completes. There is no alert-and-respond cycle because there is nothing to respond to after the fact.
The three May disclosures did not involve a zero-day. They involved an authorized session and an integration layer with no enforcement boundary.
What security teams should do now
Audit OAuth applications with broad permissions. Focus on any app authorized with refresh token or full API access scopes. If an authorization is unexplained or the integration is no longer in active use, revoke it. Dormant OAuth authorizations with broad scopes are a recurring exploitation point across ShinyHunters campaigns.
Treat SSO compromise as a SaaS ecosystem event, not just an identity event. When an employee account is compromised, the standard response focuses on that account. The follow-on question has to be: what SaaS applications does this account have OAuth access to, and what could an attacker have reached from here? That inventory needs to exist before an incident, not be assembled during one.
Alert on device code authorization flows outside of recognized workflows. The device authorization grant is a legitimate OAuth mechanism that ShinyHunters has weaponized specifically because it bypasses MFA. Any device code authorization event that cannot be tied to a known, approved process warrants immediate investigation.
Know which applications carry your highest-sensitivity data. Salesforce is a recurring target because it holds large volumes of customer PII and has broad integration access. Every organization should have a current map of which SaaS applications contain their most sensitive data, who can reach it, and through what integrations.
Establish behavioral baselines for service accounts and OAuth tokens. Non-human identities are a primary attack surface in this campaign. A token that has always accessed a narrow set of records suddenly hitting a bulk export endpoint is an anomaly. Without a baseline, that anomaly is invisible. Our analysis of the Anodot and Snowflake breach covers the downstream impact of unmonitored non-human identities in detail.
Move toward phishing-resistant MFA for high-privilege accounts. Push-based and SMS-based MFA are defeatable through social engineering. For accounts with access to CRM platforms, customer data stores, or internal infrastructure, FIDO2 and hardware security keys raise the bar, though as covered in our breakdown of the Mandiant research, phishing-resistant MFA alone is not a complete answer while device code phishing remains in the group's toolkit.
Detection and Response Tips:
If you suspect ShinyHunters activity in your environment:
- Revoke all active sessions for the affected account immediately
- Audit connected OAuth apps for the account and revoke anything unrecognized
- Pull SaaS audit logs for bulk data access and export events in the relevant window
- Check IdP logs for MFA enrollment changes or new device registrations
- Review any connected app authorizations created in the days surrounding the incident
- Report suspected intrusions to the FBI Internet Crime Complaint Center at ic3.gov
The playbook is documented. The enforcement gap is not closed.
The May 2026 disclosures are not evidence that ShinyHunters found a new technique. The vishing, the device code phishing, the OAuth pivot into connected SaaS: all of it was documented and public before any of these three breaches occurred. The group is not innovating. It is repeating, at scale, across sectors, because the conditions that make the attack possible have not changed.
What those conditions share is an integration layer with no enforcement boundary. Authenticated sessions that can reach any connected SaaS application their OAuth permissions allow, export any data those permissions cover, and complete that action before any detection fires.
Three major consumer brands in 30 days. One group. One playbook. The question is not whether this will happen again. It is whether the next target has enforcement at the layer where it happens.
.png?width=329&height=222&name=blog%20451%20why%20saas%20and%20ai%20are%20converged%20(1).png)
