ShinyHunters / WorldLeaks family (financial-data extortion, third-party-SaaS pivot)

Current state: most-active operator family of 2026-W19. Confirmed parallel involvement across Vimeo/Anodot, Inditex/Zara/Anodot, ADT/Okta-SSO/Salesforce, and Canvas/Instructure (second-intrusion claim despite May 8 patches). The architectural pattern across these incidents — third-party analytics, BI, integration, or LTI service accounts holding broad read access to tenant data — is consistent and converging. The Canvas/Instructure extortion deadline is 2026-05-12 (two days out at week-end). Outstanding defender question: which AI-tooling SaaS or analytics SaaS vendor will be the next confirmed pivot point. (See § 2 multi-day chain.)