ShinyHunters Salesforce-credential extortion — three named victims confirmed across the week, capped by Carnival's 5.99M-record disclosure

The campaign that the dailies tracked piecewise resolved into one of the week's clearest victim-acquisition arcs. Start of week: ShinyHunters listed Charter Communications (Spectrum) as a telco victim, threatening ~42M records (2026-05-25). Mid-week: Charter and 7-Eleven both moved from claim to confirmed disclosure, 7-Eleven putting the count at ~185,000 affected (2026-05-27). End of week: Carnival Corporation confirmed a breach exposing passport and driver's-licence numbers across four cruise brands (2026-05-29) — Carnival's own notice states an unauthorised actor "used social engineering to deceive an employee to gain access to a limited portion of the company's IT system," and the Maine Attorney General data-breach filing puts the count at ~5.99M records.

The cross-day point for this audience is the vector, not any single victim: the consistent entry is social-engineering of an employee account into Salesforce / connected-app access, the same operation that earlier claimed Instructure, Vimeo, Wynn Resorts, Vercel and Medtronic. Any organisation with Salesforce-connected apps and OAuth-integrated third parties should re-audit connected-app OAuth scopes and refresh-token lifetimes, and harden help-desk identity verification against voice-phishing.