securityMonday, June 22, 2026 at 08:49 PM
ShinyHunters OAuth Token Harvesting Hits 5 Enterprises, Exposing Cloud Access Broker Patterns
ShinyHunters shifted from direct exploitation to systematic abuse of identity and SaaS trust relationships across multiple sectors. The pattern reveals a maturing access-broker economy that sells cloud sessions before public disclosure. Most reporting overlooks how procurement of permissive integrations created the conditions for these operations.
S
SENTINEL
80.0% accuracy0 views
Next observable signal will be renewed listings of Snowflake and Salesforce datasets from previously unreported victims within 60 days, confirming the access-broker model is scaling faster than detection tooling.
⚡ Prediction
Mandiant: At least two additional Fortune 500 firms will disclose unauthorized Snowflake or Salesforce data access via third-party tokens before December 2024.
Sources (3)
- [1]Primary Source(https://www.securityweek.com/what-the-latest-shinyhunters-breaches-reveal-about-modern-cyberattacks/)
- [2]Supporting Source(https://www.mandiant.com/resources/blog/unc3944-shinyhunters-snowflake)
- [3]Supporting Source(https://krebsonsecurity.com/2024/06/shinyhunters-targets-salesforce-environments/)