Today is the deadline.
As of February 20, 2026, the cybercrime group ShinyHunters has told CarGurus, Mercer Advisors, and several other companies to negotiate or watch their data get published. Their exact words: "This is a final warning to reach out by 20 Feb 2026 before we leak along with several annoying (digital) problems that'll come your way."
CarGurus: 1.7 million records. Mercer Advisors: 5 million. Beacon Pointe Advisors: 100,000. These are just the latest additions to a campaign that has already breached 15+ companies and stolen over 50 million records since the beginning of the year. SoundCloud, Match Group, Panera Bread, Betterment, Harvard, Crunchbase, Figure, Canada Goose: the list reads like a cross-section of the American economy.
Here's what makes this campaign remarkable: ShinyHunters didn't deploy ransomware. They didn't exploit zero-days. They didn't write custom malware. They picked up the phone.
The Vishing Playbook
ShinyHunters' attack method is almost insultingly simple. They call employees and pose as IT staff, telling them their MFA settings need updating. They direct the employee to a credential harvesting page that mimics the company's SSO portal, whether that's Okta, Microsoft Entra, or Google. As the employee enters their credentials and MFA code, the attackers capture both in real time and use them to log in.
One phone call. One compromised identity. And then everything connected to that identity is exposed.
What happens next is the part that should concern every security leader. After gaining access to an SSO account, the attackers browse the list of connected applications and begin systematically harvesting data from every SaaS platform available to that user: Salesforce, internal wikis, HR systems, customer databases, financial records, communications archives. Silent Push identified over 100 organizations on ShinyHunters' target list. The campaign isn't opportunistic. It's industrial.
This is voice phishing at a completely different scale than what we've seen historically. Vishing attacks surged 442% in 2025, and the threat I described in my earlier analysis of voice cloning and CEO fraud is now being operationalized at industrial scale. The difference is that ShinyHunters doesn't need deepfakes. A convincing phone manner and a plausible pretext about MFA settings is enough.
SSO: Security Feature or Single Point of Failure?
The industry pushed SSO for good reasons. Centralized authentication reduces password fatigue, simplifies access management, and gives security teams a single pane of glass for identity governance. In theory, it's a clear security improvement over having employees manage dozens of individual credentials across dozens of applications.
But SSO also created something the industry didn't talk enough about: a single point of catastrophic failure.
Before SSO, compromising an employee's Salesforce password gave you access to Salesforce. Compromising their Slack password gave you access to Slack. Each application was its own silo, and each compromised credential had a limited blast radius.
With SSO, one compromised identity is a skeleton key. Every SaaS application connected to that identity provider, every database, every internal tool, every communication platform, is accessible with the same token. ShinyHunters understood this before most defenders did.
The Fortinet SSO breach I analyzed in January showed what happens when the SSO infrastructure itself is vulnerable. ShinyHunters took a different approach: they don't need to find a technical flaw in Okta or Entra. They just need one employee to answer the phone and follow instructions. The result is the same: total access through the identity layer.
The Snowflake Playbook, Evolved
To understand how we got here, look at ShinyHunters' evolution.
In 2024, they compromised approximately 165 Snowflake customer accounts using credentials harvested by infostealer malware, some dating back to 2020. The victims included Ticketmaster, Santander Bank, and AT&T. The attack was effective but relied on a finite supply of stolen credentials and the hope that victims hadn't enabled MFA.
The infostealer epidemic I wrote about in January shows the scale of that credential supply chain: 1.8 billion credentials stolen from 5.8 million devices in just the first half of 2025. But defenders were catching on. More companies enabled MFA. More credentials got rotated. The shelf life of stolen passwords shortened.
So ShinyHunters adapted. Instead of relying on stale credentials, they started generating fresh ones in real time through social engineering. Voice phishing bypasses MFA because the attackers intercept both the credential and the MFA code simultaneously, during the call. There's no credential rotation that protects against this. There's no MFA implementation that stops it. The employee hands over everything voluntarily, believing they're following legitimate IT instructions.
By mid-2025, they had expanded to Salesforce environments, breaching Google, Cisco, Adidas, Qantas, and multiple LVMH subsidiaries. Now, in early 2026, they're targeting any SaaS application behind an SSO portal, and the victims span financial services, higher education, technology, retail, and consumer brands.
Each evolution made their operation more scalable, more resilient, and harder to stop. They learned from the Snowflake campaign's limitations and built a playbook that doesn't depend on any specific vulnerability, any specific platform, or any specific piece of malware. It depends on a human answering the phone.
Data Theft Without Encryption: Yesterday's Prediction, Today's Reality
Two days ago, I wrote about how ransomware groups are abandoning encryption for pure data theft. The core argument: attackers learned that organizations can restore from backups, so encryption lost its leverage. Data exfiltration and the threat of exposure became the new extortion model.
ShinyHunters is this thesis made real, running at scale, today.
Their entire operation is built on data theft without encryption. No ransomware payloads. No locked files. No disrupted systems. Just stolen data and a countdown timer. The victims' systems kept running perfectly throughout the breach. In many cases, the first sign of compromise was the extortion demand itself.
This is exactly the detection problem I flagged: when there's no encryption, there's no obvious signal. No files changing extensions. No ransom notes. No operational disruption. The attacker uses legitimate SSO credentials to access legitimate SaaS applications through legitimate channels. Every action looks like normal employee behavior.
The data exfiltration epidemic isn't a trend to watch. It's happening. Fifty million records, fifteen companies, one phone call at a time.
The Vendor Risk Amplifier
There's another dimension to this campaign that the headlines are missing. ShinyHunters isn't just breaching individual companies; they're exploiting the third-party data sharing problem that compounds at every layer of the modern enterprise stack.
When an employee's SSO account is compromised, the attacker inherits access to every SaaS vendor relationship that employee had. If that employee managed customer integrations through Salesforce, the breach extends into customer data. If they administered HR platforms, employee records are exposed. If they had access to financial systems through an ERP integration, transaction data is on the table.
The blast radius of a single SSO compromise maps directly to the web of third-party SaaS relationships the organization has built. Companies that aggressively adopted SaaS, that connected dozens of cloud applications through their SSO portal for efficiency and governance, inadvertently created the widest possible attack surface for exactly this kind of campaign.
What Actually Works
If MFA doesn't stop this, and SSO itself is the attack surface, what does?
Phishing-resistant MFA is non-negotiable. FIDO2/WebAuthn hardware keys can't be intercepted over the phone because authentication is bound to the legitimate domain. An attacker's phishing page can't trigger a hardware key authentication to the real identity provider. Organizations that deployed YubiKeys or passkeys are immune to this specific attack vector. The fact that most enterprise SSO deployments still accept push notifications or TOTP codes is a design failure the industry needs to fix.
Conditional access policies need real teeth. Restrict SSO authentication to managed devices, known networks, and compliant endpoints. If an attacker captures credentials and an MFA code but can't satisfy device trust requirements, the stolen credentials are useless. This doesn't require new technology; Okta, Entra, and Google all support conditional access. Most organizations just haven't configured it aggressively enough.
SaaS access needs segmentation. Not every employee needs access to every connected application. The principle of least privilege applies to SaaS just as it applies to network access. Audit your SSO-connected applications, tier them by sensitivity, and restrict access to each tier independently. A compromised marketing coordinator's account shouldn't provide access to financial systems.
Security awareness training needs to evolve beyond email. Most phishing training programs focus on email. ShinyHunters uses the phone. Train employees that IT will never call to ask them to update MFA settings on an unfamiliar website. Establish clear verification procedures for identity-related requests, including callback numbers and out-of-band confirmation.
And if the data itself were protected? The tokenization argument I made two days ago applies directly to this scenario. If sensitive fields in SaaS applications were tokenized at the field level, compromised SSO credentials would still grant access to applications, but the data harvested would be cryptographically meaningless. ShinyHunters could exfiltrate 50 million records and end up with 50 million tokens. The extortion demand collapses when the stolen data has no value.
The Identity Crisis
Four ShinyHunters members were arrested in France in June 2025. The attacks didn't stop. The group's tactics have been adopted and adapted by collaborators, including elements allegedly connected to Scattered Spider. Arresting individuals doesn't dismantle a playbook that's been proven, documented, and shared.
The fundamental problem isn't ShinyHunters. It's that we centralized enterprise access behind identity systems and then left those identity systems protected by defenses that a phone call can bypass. We built a castle with one door and then relied on the doorman recognizing voices.
The companies whose data leaks today, or this week, or whenever ShinyHunters follows through on their deadlines, are learning the hard way what the Snowflake victims, the Salesforce victims, and the Fortinet victims all learned before them: the perimeter doesn't matter when the attack goes through the identity layer. And identity, in 2026, is protected by whatever an employee does when the phone rings.
The fix isn't one technology. It's a recognition that SSO didn't eliminate authentication risk. It concentrated it. And concentrated risk demands concentrated defense: hardware-bound MFA, aggressive conditional access, SaaS segmentation, and data protection that works even after the perimeter fails.
Today's deadline is for CarGurus. Tomorrow's will be for someone else. The playbook is proven. The question is whether your defenses assume the phone will ring.
