ShinyHunters is on an absolute tear right now and nobody seems to be able to stop them.
Wynn Resorts. Figure. Odido. Harvard University. SoundCloud. Crunchbase. Fujifilm. Adidas. Cartier. Kering — which, for those not paying attention, means Gucci, Balenciaga, and Brioni just got hit by the same crew that cracked a casino. Air France and KLM. IKEA. These ass-clowns have apparently decided that 2026 is their year and they’re working the list like it’s a goddamn advent calendar of corporate disasters.
The technique? Same every time. Voice phishing. Real-time MFA bypass kits. A phone call to a help desk agent. A convincing fake IT support persona. And suddenly your Okta SSO is wide open and they’re inside every application in your stack simultaneously.
One attack surface. One phone call. Unlimited blast radius. How did nobody see this coming?
The Full Damage Report
Let me run through the confirmed victims because the list is genuinely jaw-dropping.
Wynn Resorts got listed on ShinyHunters’ dark web blog on February 19th, 2026. According to The Register and TechRadar, the group claims to have stolen more than 800,000 employee records — Social Security numbers, personal details, the works. Ransom demand: 22.34 Bitcoin, approximately $1.5 million. Deadline: February 23rd. Wynn hasn’t issued a public statement. The original intrusion reportedly took place in September 2025. So — just like Conduent — they were sitting on this for months before it became public. Brilliant.
Figure, a blockchain-based fintech lending company, confirmed to TechCrunch on February 12th that hackers broke into an employee account and downloaded files. ShinyHunters took credit, said Figure refused to pay, and published 2.5 gigabytes of stolen data. Per Crowdfund Insider, close to one million customers had their names, addresses, dates of birth, and phone numbers exposed.
Odido — the largest Dutch telecom, with 6 million customers — suffered a breach of its customer relationship management system in early February 2026. ShinyHunters claimed the hit, posted Odido on their leak blog, and as of this week, Reuters and Cybernews confirm the group is actively leaking 2 million records per day in retaliation for Odido refusing to pay. “Day 2 leak is here,” they posted. “After tomorrow (day 3), we will start publishing 2 million records per day. This is because of the recent Odido stance on not paying a ransom.” So that’s going well for everyone.
And then there’s the “Trinity of Chaos” data leak site that Resecurity documented in February, where ShinyHunters published a victim list that reads like a Fortune 500 shopping list: Fujifilm, Albertsons, Instacart, Petco, Kering, Puma, Cartier, Adidas, Pandora, TransUnion, Chanel, IKEA, Qantas Airways, CarMax, Air France, KLM, Saks Fifth Avenue, SoundCloud, Crunchbase. Most of these companies had an October 10th deadline to negotiate. The group claims victims originate from previous campaigns exploiting Salesforce / Salesloft integrations and other SaaS application chains.
That’s not a breach. That’s an industry-wide catastrophe that’s been playing out in slow motion for months.
The Technique: Vishing + Real-Time MFA Bypass Kits
Here’s how ShinyHunters are actually doing this, because understanding the mechanics is the first step to not being the next victim on their list.
According to BleepingComputer, the group is running sophisticated voice phishing campaigns targeting SSO accounts at Okta, Microsoft Entra, and Google. The attack flow goes like this:
- Attacker calls an employee — often a help desk agent or IT staff member, sometimes a regular employee — and impersonates IT support or a vendor.
- Using real-time phishing kits, they proxy the victim’s legitimate login to their own fake portal in real time. The victim enters their credentials and MFA code into what they think is a legitimate authentication flow. The attacker captures both and replays them immediately before the time-limited OTP expires.
- Once inside Okta or Microsoft Entra SSO, they have access to every application the employee is provisioned for — email, HR systems, CRM, financial applications, cloud storage, the lot.
- They exfiltrate at speed, list the victim on their dark web site, and wait for the ransom call.
UpGuard’s analysis describes the attack as using “custom real-time phishing kits to bypass multi-factor authentication.” Okta themselves acknowledged the rise in these vishing kits and published a report describing the methodology — which is their way of saying “we know this is happening, we’re not compromised as a platform, but our customers keep handing criminals their SSO codes over the phone.”
Okta has also stated — correctly — that their own platform infrastructure remains secure. This is not a vulnerability in Okta. This is a vulnerability in humans answering phones and being socially engineered. Which, frankly, is a worse problem to have. You can patch a CVE. You cannot patch human gullibility.
What’s particularly nasty is the “insider access” angle. The Register notes that ShinyHunters has previously used Telegram to solicit insider access, and in one documented case reportedly claimed to have paid a CrowdStrike employee $25,000 for access (CrowdStrike denied any breach resulted). Whether that specific claim is accurate or posturing, the tactic is real. Criminal groups are actively recruiting insiders at target organizations. Your disgruntled IT contractor is a threat actor.
This Is Not a New Problem — It’s a Predictable Catastrophe
Let me be absolutely clear: ShinyHunters pulling off this campaign at this scale is not a shock. It is the direct, completely predictable consequence of the following sequence of terrible decisions, made by hundreds of organizations over the past decade:
Decision 1: Centralize all authentication through a single SSO provider for convenience. Fine. Reasonable. Efficient. But now one compromised credential means access to everything.
Decision 2: Implement MFA — but use TOTP codes or SMS OTPs instead of phishing-resistant FIDO2 hardware keys, because hardware keys are “too expensive” or “create too much friction.”
Decision 3: Allow help desk agents to reset MFA over the phone, because “we need to support users who lose their authenticator.” Translation: you’ve built a backdoor into your MFA that any convincing caller can walk through.
Decision 4: Don’t run meaningful user behavior analytics on SSO access. So when someone authenticates successfully but then immediately accesses twelve applications they’ve never touched before and starts downloading everything, no alert fires.
Decision 5: Don’t train help desk agents specifically on vishing scenarios for SSO account changes. Give them generic “security awareness training” once a year and call it done.
You execute all five of those decisions — and most organizations have — and you’re not one sophisticated attacker away from disaster. You’re one phone call away.
I’ve written before about the sociotechnical dimension of security failures — the human clusterfuck is always the real vulnerability. Your firewall doesn’t answer the phone. Your help desk agent does. And ShinyHunters has apparently figured out very precisely how to exploit that.
The Casino Angle Is Not a Coincidence
Wynn Resorts is, what, the third major Las Vegas resort chain to get hit by a ShinyHunters-adjacent crew? Let’s recap: Caesars Entertainment and MGM Resorts were both hit in September 2023 by Scattered Spider — a group with documented ties to the ShinyHunters collaborative — using the exact same technique: Okta SSO codes obtained through help desk vishing calls. The Register notes this explicitly.
MGM’s ransomware response cost them an estimated $100 million in losses. Caesars apparently paid a reported $15 million ransom. And now Wynn is on the list, facing $1.5 million in demands, and the technique used is functionally identical to what worked on their competitors three years ago.
What in the absolute hell has the Las Vegas hospitality sector been doing with their identity security since 2023? You had two extremely high-profile case studies, documented in excruciating detail across every security trade publication in existence, showing exactly how this attack works and exactly what it costs. And Wynn apparently looked at those case studies and decided… to keep the same vulnerable help desk procedures.
I don’t have better words for that than “spectacular organizational stupidity.”
The Odido Situation Is Still Developing and It’s Ugly
The Odido situation deserves specific attention because it’s active and escalating right now. As of February 27th, 2026 — today — Cybernews and NL Times are reporting that ShinyHunters is actively publishing stolen Odido data, with threats to release 2 million records per day until they get paid.
Six million total customers. A Dutch telecom. The largest in the Netherlands. Their CRM system — which means customer contact details, account information, interaction history — got lifted and is now being drip-leaked onto the dark web as leverage.
And Odido has taken the position of not paying. Which I actually respect — paying ransom is wrong, it funds more attacks, and there’s zero guarantee your data gets deleted — but the practical consequence for their six million customers is that their personal data is being published in daily installments for the world to see.
The Dutch Data Protection Authority is going to have opinions about this. GDPR fines for a breach of this scale can reach 4% of annual global turnover. So Odido is currently caught between paying criminals and paying regulators. Neither option is good. The time to fix this was before the breach.
The Fixer’s Advice — What You Must Do This Week
I’m going to be very specific here because “improve identity security” is useless advice. Here’s what actually needs to happen:
Deploy FIDO2 / passkeys for every user, zero exceptions, no fallback. This is the single highest-impact control you can implement. A hardware security key (YubiKey, Google Titan) or a platform passkey (Face ID, Windows Hello) is cryptographically bound to the legitimate website’s domain. A real-time phishing kit cannot relay it. A convincing phone call cannot extract it. The attacker on the other end of the vishing call gets nothing. Okta, Microsoft Entra, and Google Workspace all support FIDO2 passkey authentication today. If you are not using it, you are making a choice to remain vulnerable.
Kill phone-based MFA resets at your help desk. Right now. Today. If an employee calls and says they lost their authenticator, the process must be: ticket created, manager notified, identity verified through an out-of-band process (in-person, video call with ID verification, callback to a verified number on file), new device enrolled. No exceptions for executives. No “just this once.” The account recovery process is the back door, and ShinyHunters knows where it is.
Implement Okta’s Identity Threat Protection. This is a continuous session evaluation feature that re-assesses risk signals throughout an authenticated session — not just at login. Unusual application access sequences, impossible travel, anomalous download volumes — these trigger re-authentication challenges. It doesn’t prevent the initial vishing call from working, but it dramatically reduces the window of damage after authentication.
Run vishing simulation exercises. Not phishing simulations — vishing. Hire a red team to call your help desk agents pretending to be employees locked out of their SSO accounts. See who resets MFA credentials over the phone. See who follows proper procedure. Do this quarterly. Make it part of your security culture. The help desk agents who hand over access aren’t stupid — they’re untrained and undrilled for this specific attack scenario.
Audit your SaaS application access grants. Every application connected to your Okta or Entra tenant has a blast radius. Do a full inventory of what’s connected. Who has access to what. What data can be exfiltrated from each application if an employee account gets compromised. Prioritize imposing context-aware conditional access policies — require managed devices, known IP ranges, reasonable geolocation — for your highest-sensitivity applications.
Monitor for insider access solicitation. ShinyHunters is actively recruiting insiders on Telegram and other platforms, offering payments for access. This sounds like something that only happens to other organizations. It doesn’t. Brief your security team and HR on what this looks like. Set up processes for employees to report if they receive unusual approaches offering money for system access. Make it safe and easy to report. One employee who reports a contact instead of being tempted can save your organization $1.5 million in ransom and years of reputational damage.
As I wrote about in my breakdown of the MGM / Caesars Scattered Spider attack, the fundamental error these organizations keep making is treating identity security as a product implementation rather than an ongoing operational discipline. You buy Okta. You configure MFA. You tick the box. You move on. And then two years later a criminal calls your help desk and you realize you ticked the wrong boxes.
The Call-Out
ShinyHunters has now apparently hit dozens of organizations across multiple industries and multiple continents in a single sustained campaign using a technique that has been publicly documented, extensively analyzed, and discussed at every security conference since 2023.
Wynn Resorts is the third major Vegas casino to fall to this exact attack vector.
Odido’s six million customers are having their personal data published online, two million records at a time, today.
Figure’s million customers had their data published because the company refused to pay.
The technique is not exotic. The countermeasures are known. FIDO2 passkeys defeat real-time phishing kits. Proper account recovery procedures defeat vishing attacks on help desks. Behavioral analytics on SSO sessions catch anomalous post-authentication activity.
None of this is hard. None of this is expensive relative to the cost of being on ShinyHunters’ list. The companies on that Trinity of Chaos victim roster made choices — conscious or unconscious — to remain vulnerable to a technique they had every opportunity to learn about and defend against.
Don’t be on the next list. Fix your identity security before the call comes. Because ShinyHunters are dialing.
