ShinyHunters Extortion Wave: ADT, Udemy, and Vimeo Hit by Vishing

The global cybersecurity landscape has been rocked by a sophisticated ShinyHunters extortion wave that has systematically dismantled the defenses of some of the world’s most recognizable brands. Over the last 48 hours, a coordinated series of breaches targeting home security giant ADT, e-learning titan Udemy, and video hosting platform Vimeo has signaled a dangerous evolution in cybercrime. This campaign marks a definitive departure from traditional ransomware; instead of encrypting local servers, the group is leveraging high-pressure “pay or leak” tactics fueled by the wholesale exfiltration of cloud-hosted customer data.

The scale of the crisis is staggering. By compromising the identity layer that governs access to modern Software-as-a-Service (SaaS) environments, ShinyHunters has bypassed traditional perimeter defenses. From the personal addresses of millions of homeowners to the internal analytics of global media firms, the data currently held for ransom represents one of the most significant collective exposures of the year. For security professionals, the ShinyHunters extortion wave serves as a grim masterclass in how social engineering can turn an organization’s most trusted tools—Single Sign-On (SSO) and Multi-Factor Authentication (MFA)—into gateways for catastrophic data loss.

The ADT Breach: 5.5 Million Records Compromised via the SaaS Pivot

The most devastating strike in this latest campaign targeted ADT, the largest security and smart-home provider in the United States. In a series of disclosures confirmed via SEC filings and independent verification by breach-tracking services like Have I Been Pwned, it has been revealed that ShinyHunters successfully exfiltrated the data of over 5.5 million customers. The breach, detected on April 20, 2026, allegedly involved 11GB of sensitive information, including names, phone numbers, physical addresses, and, in a limited number of cases, partial Social Security numbers and Tax IDs.

Technically, the ADT intrusion was not the result of a zero-day vulnerability or a software exploit. Instead, the attackers utilized a high-fidelity vishing (voice phishing) attack to target a specific employee. By impersonating IT support staff, the threat actors tricked the victim into revealing their Okta Single Sign-On (SSO) credentials and subsequently approving a real-time MFA request. Once inside the Okta environment, the group pivoted laterally to the company’s Salesforce instance. This “SaaS Pivot” is a hallmark of the ShinyHunters extortion wave, where attackers use the inherent trust between identity providers and cloud applications to export entire customer databases without ever touching the victim’s internal network.

Technical Deep-Dive: The Mechanics of Vishing-Assisted AiTM

To understand the efficacy of this campaign, one must examine the specific toolkits employed by ShinyHunters. Unlike primitive phishing emails, these attacks utilize Adversary-in-the-Middle (AiTM) phishing kits designed for real-time interaction. The process typically follows a rigid technical sequence:

• Reconnaissance: Attackers gather intelligence on internal IT personnel, often using LinkedIn or previous breaches to spoof a legitimate corporate phone number.
• The Hook: The victim receives a call from “Corporate IT” claiming a mandatory security update or an issue with the employee’s MFA settings.
• The Proxy Site: The employee is directed to a victim-branded credential harvesting site (e.g., adt-sso.com) that acts as a transparent proxy between the user and the legitimate identity provider.
• Session Hijacking: As the victim enters their credentials and MFA code, the AiTM kit relays these in real-time to the actual login portal. The attacker then captures the session cookie, granting them full access to the victim’s SSO dashboard without needing to “crack” the MFA again.

By keeping the victim on the phone, the attacker can guide them through “errors” and multiple MFA prompts, effectively synchronizing the social engineering with the technical bypass. This method has proven effective even against push-based MFA and number-matching security protocols.

Udemy and Vimeo: The Expansion of the Extortion Model

While ADT represents the most significant volume of PII, the ShinyHunters extortion wave has also swept up Udemy and Vimeo, showcasing the group’s ability to target diverse cloud architectures. For Udemy, the attackers claim to have exfiltrated records for 1.4 million users, including names, emails, and internal corporate data. The group issued a “final warning” to the e-learning platform, setting a deadline of April 27, 2026, for ransom negotiations before the data is leaked to the public.

The Vimeo incident highlights a different, yet equally alarming, attack vector: the supply chain compromise. ShinyHunters has claimed responsibility for breaching Vimeo’s Snowflake and BigQuery instances. This attack appears to have originated from a compromise of Anodot, a third-party business analytics firm used by Vimeo. By obtaining authentication tokens from a compromised SaaS integration provider, ShinyHunters bypassed Vimeo’s direct defenses to reach the heart of its data warehousing infrastructure.

Targeting the Data Warehouse: Snowflake and BigQuery Exploitation

In the cases of Vimeo and other recent victims, the objective was the exfiltration of “cold” data stored in cloud warehouses. Attackers specifically targeted:

1. Snowflake Instances: Using stolen service account tokens or compromised SSO sessions, the group executed bulk COPY INTO commands to move massive datasets into attacker-controlled S3 buckets.
2. Google BigQuery: Leveraging compromised Google Workspace identities, the group accessed analytical datasets containing user behavior, financial projections, and internal communications.
3. Salesforce APIs: As seen with ADT, the group often uses malicious “Connected Apps” or trojanized versions of the Salesforce Data Loader to perform high-speed exports of CRM records.

This shift in focus from the “server” to the “data lake” represents a significant strategic pivot. By targeting centralized data warehouses, ShinyHunters can obtain the maximum amount of high-value information with minimal effort compared to traditional lateral movement through a corporate network.

The Evolution of ShinyHunters: From Leaks to Strategic Extortion

The ShinyHunters extortion wave currently being observed is the culmination of years of tactical refinement. Originally known for mass data thefts and high-profile leaks on BreachForums, the group has evolved into a more disciplined, financially motivated extortion collective. There is increasing evidence of collaboration—or at least a sharing of tradecraft—between ShinyHunters and other high-profile groups like Scattered Spider (UNC3944).

Both groups favor “Identity-First” attacks, prioritizing the compromise of help desks and administrative accounts over the deployment of malware. This methodology is particularly effective because it leaves a minimal forensic footprint. From a defensive standpoint, the traffic looks like legitimate employee activity. The only anomalies are often “SSO bursts”—sudden spikes in the number of applications accessed by a single user session—and high-volume API requests directed at platforms like Salesforce or Microsoft SharePoint.

Harassment and “Digital Problems”

One of the most concerning aspects of the current ShinyHunters extortion wave is the escalation of pressure tactics. Beyond the standard “pay or leak” ultimatum, the group has been known to engage in direct harassment of victim personnel. This includes sending SMS threats to executives, contacting the families of employees, and launching Distributed Denial of Service (DDoS) attacks against a victim’s public-facing infrastructure to force them to the negotiating table. In the Udemy case, the group explicitly threatened “several annoying digital problems” if their demands were not met, a likely reference to these aggressive escalation tactics.

Defending Against the Identity-SaaS Threat Vector

The ShinyHunters extortion wave demonstrates that traditional security models are ill-equipped to handle the fusion of social engineering and cloud-native exploitation. To counter this threat, organizations must move beyond the “MFA is enough” mindset. The following technical mandates are now essential for enterprise defense:

• Phishing-Resistant MFA: Organizations must transition away from push-based and SMS MFA in favor of FIDO2-compliant security keys (such as YubiKeys) or Passkeys. These methods are technically immune to AiTM proxying because the cryptographic handshake is tied to the specific, legitimate domain of the identity provider.
• Conditional Access for SaaS: Access to high-value platforms like Salesforce, Snowflake, and BigQuery must be restricted to managed, compliant devices. Even a stolen session cookie should be useless if the request originates from an unrecognized IP or an unmanaged machine.
• OAuth and App Governance: Security teams must strictly audit “Connected Apps” within their SaaS environments. Attackers often maintain persistence by authorizing their own malicious apps, which allows them to bypass password changes and session revocations.
• Identity Threat Detection and Response (ITDR): Modern security operations must prioritize ITDR, which monitors for behavioral anomalies at the identity layer—such as a user accessing ten different SaaS apps in under a minute or the enrollment of a new MFA device from a foreign location.

Conclusion: The New Frontier of Corporate Extortion

The ShinyHunters extortion wave hitting ADT, Udemy, and Vimeo is a stark reminder that the “identity perimeter” is the most contested space in modern cybersecurity. By mastering the art of the vishing call and the technical intricacies of the SaaS pivot, ShinyHunters has created a highly repeatable and devastatingly effective attack chain. The 5.5 million homeowners affected by the ADT breach are merely the latest victims of a strategy that targets the human element to unlock the world’s most sensitive data stores.

As organizations continue to centralize their most critical assets in the cloud, the incentive for groups like ShinyHunters will only grow. The path forward requires more than just technical patches; it necessitates a total overhaul of how enterprises verify trust, manage identity, and respond to the psychological warfare of modern cyber extortion. Without a fundamental shift toward phishing-resistant architectures, the ShinyHunters extortion wave will likely continue to claim high-profile victims throughout 2026 and beyond.