ShinyHunters and identity risk: what IAM teams need to rethink

TL;DR: ShinyHunters-linked incidents across Canvas, 7-Eleven, and Charter Communications were tied to roughly 317.2 million compromised identities in a single month, reinforcing that attackers increasingly inherit trust through credentials and access paths rather than breaking in from scratch, according to Linx Security. The practical shift is clear: identity governance, privilege context, and attack-path control now matter as much as traditional perimeter hardening.

NHIMG editorial — based on content published by Linx Security: The ShinyHunters Playbook: Why Identity Has Become The New Attack Surface

By the numbers:

• A roughly combined 317.2 million identities were compromised in these three breaches, just in the last month alone.
• 72% of organisations have experienced or suspect they have experienced a breach of non-human identities.
• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes.

Questions worth separating out

Q: What breaks when identity access is treated as trustworthy by default?

A: When access is trusted by default, attackers can inherit legitimate permissions instead of needing to exploit a perimeter flaw.

Q: Why do service accounts and integrations increase breach impact?

A: Service accounts and integrations often hold broad permissions, long-lived credentials, and weak human oversight.

Q: How do security teams know if identity governance is actually working?

A: Identity governance is working when organisations can show which identities exist, what each one can reach, why the access is still needed, and how quickly risky trust paths are removed.

Practitioner guidance

• Inventory every identity that can inherit trust Include human users, service accounts, SaaS integrations, API tokens, workload identities, and AI agents in a single inventory so the attack surface is not split across separate teams or tools.
• Reassess overbroad permissions on trusted access paths Look for credentials and integrations that can reach sensitive data without a task-specific need, then remove permissions that exist only because the account was created quickly and never revisited.
• Map attack paths from identity to data Trace which identities can pivot into crown-jewel systems, then prioritise the pathways that combine broad reach, weak monitoring, and low operational visibility.

What's in the full article

Linx Security's full blog post covers the operational detail this post intentionally leaves for the source:

• A fuller incident-by-incident walkthrough of the Canvas, 7-Eleven, and Charter Communications cases and how the trust paths differed.
• The vendor’s discussion of how identity inheritance, SaaS access, and exposed credentials combine into attacker pathways.
• More context on Linx Security’s view of why current identity programmes miss non-human trust relationships at scale.
• The closing product and demo material that sits outside the independent analysis in this post.

👉 Read Linx Security's analysis of ShinyHunters and identity-led breach risk →

ShinyHunters and identity risk: what IAM teams need to rethink?

Explore further

View Full Forum →  |  NHI Foundation Course →