Notifications
Clear all
Topic starter
02/06/2026 6:55 pm
TL;DR: ShinyHunters-linked intrusions now span voice phishing, OAuth token abuse, and credential reuse across SaaS, with Canvas, Snowflake, and Salesloft Drift all fitting the same identity-led breach pattern, according to Lumos. The security problem is less about malware and more about valid identities doing unauthorized work at export scale.
NHIMG editorial — based on content published by Lumos: What Is ShinyHunters? How One Cybercrime Group Is Behind a Dozen Major Cyber Breaches
By the numbers:
- ShinyHunters later claimed to be holding more than 1.5 billion Salesforce records from 760 companies pulled out of the Drift fallout.
- Already, 96% of organizations reported an identity-based incident in the past year.
Questions worth separating out
Q: How should security teams implement phishing-resistant MFA for privileged SaaS access?
A: Start with the identities that can export data or change access, including IdP admins, SaaS admins, and helpdesk staff.
Q: Why do OAuth-connected apps create outsized NHI risk in SaaS environments?
A: Because a connected app acts with delegated authority, and a stolen token inherits that authority until revoked.
Q: What do security teams get wrong about session tokens and MFA?
A: They often assume MFA closes the risk, when in practice the issued session token becomes the credential that matters.
Practitioner guidance
- Require phishing-resistant MFA for privileged SaaS roles Move helpdesk, IdP admin, Salesforce admin, and contractor admin accounts to FIDO2 or passkeys, then verify that step-up cannot be satisfied by push approval alone.
- Inventory and own every OAuth grant and service identity Assign a named owner, data scope, last-used date, and emergency revoke path to each connected app, refresh token, API key, and service account.
- Shorten the lifetime of delegated access Use just-in-time access, narrow OAuth scopes, and frequent token rotation so a stolen credential has less time and less reach.
That is why organisations need governance over the identity after authentication, not just stronger gatekeeping at the front door?
👉 Read Lumos' analysis of ShinyHunters, identity-led SaaS breaches, and defensive steps →
Explore further
02/06/2026 7:09 pm
Identity-led SaaS extortion is now a governance pattern, not an edge case. The same chain keeps reappearing because organizations still trust authenticated sessions too much after sign-in. The attacker does not need to deploy malware when a valid token can perform the export for them. Practitioners should treat the pattern as a recurring control failure, not isolated bad luck.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to the same report.
A question worth separating out:
Q: What should teams do in the first 24 to 72 hours after a connected app compromise?
A: Identify the compromised integration, revoke its OAuth tokens, and search for any downstream exports or unusual API reads. Then reset adjacent credentials that may have been exposed in the same data set and notify owners of other NHIs that could have been reused. Speed matters because stolen credentials often open multiple doors.
👉 Read our full editorial: ShinyHunters shows how identity-led SaaS breaches keep scaling
