ShinyHunters — financially motivated data-theft group

The ShinyHunters extortion brand (the data-theft cluster Google tracks as UNC6240) ran on two fronts this week. The technical core remains the Oracle PeopleSoft zero-day campaign (CVE-2026-35273) consolidated in the W24 weekly, and Google's Threat Intelligence Group sharpened it this week: GTIG's analysis confirms UNC6240 exploited the flaw between 27 May and 9 June as a zero-day, has notified 100+ organisations (68% in higher education), and documented the TTPs — JSP shell implant, a customised MeshCentral agent masquerading as Azure cloud endpoints, [victim]_fanout.sh SSH credential-spraying and zstd-compressed exfiltration (Google GTIG). On 2026-06-16 ShinyHunters listed the Council of Europe — the 46-member Strasbourg human-rights body of which Switzerland is a member — claiming roughly 297 GB exfiltrated; per W1's assessment it is the only named European-institution victim in the campaign to date (SecurityWeek, 2026-06-16; daily 06-16). In parallel the brand expanded its leak-site extortion pressure beyond PeopleSoft: Eastman Kodak confirmed on 2026-06-17 that "an unauthorized third party illegally gained access to a limited amount of company data" after a ShinyHunters listing (SecurityWeek, 2026-06-19; daily 06-20), and Amazon's One Medical confirmed a legacy third-party file-storage breach while ShinyHunters' unverified 8.8 TB claim ran a deadline that expired 2026-06-21 (BankInfoSecurity, 2026-06-20; daily 06-21).

The cross-day pattern for a CH/EU SOC: the same brand is simultaneously running a confirmed enterprise-SaaS zero-day (PeopleSoft, vendor-confirmed) and a higher-noise leak-site operation where claims (Kodak data volume, the One Medical 8.8 TB figure) are attacker-asserted and partly unverified. Triage the two differently — the PeopleSoft exposure is a patch-and-hunt emergency for internet-reachable instances; the leak-site listings warrant victim-notification monitoring but the headline data volumes should be treated as unconfirmed until the victim corroborates.

Oracle's June Critical Security Patch Update shipped 245 fixes on 2026-06-17, around 100 remotely exploitable without authentication, headlined by an unauthenticated Solaris Remote Administration Daemon flaw (CVE-2026-46978, CVSS 10.0) and a PeopleSoft RCE (CVE-2026-35278, 9.8) (Oracle CSPU; daily 06-18). The PeopleSoft fix lands in the middle of the ShinyHunters PeopleSoft campaign (§ 2) — prioritise PeopleSoft and any internet-reachable Solaris RAD instances.

The public sector again carried high-severity activity on multiple vectors. The Council of Europe — a Strasbourg human-rights body of which Switzerland is a member — was named in the ShinyHunters PeopleSoft campaign (§ 2). Iran-aligned Handala breached California Water Service through an internet-exposed RTKBase GNSS platform, leaking billing PII for ~2M customers though without OT access (SecurityWeek, 2026-06-14; daily 06-15). Texas Parks & Wildlife disclosed a third-party-vendor breach exposing 3.08M licence holders' names and driver's-licence numbers (BleepingComputer, 2026-06-18; daily 06-21). And the recurring lesson for CH/EU administration is the PTC Windchill emergency (§ 1), where the BSI's after-hours calls underline how government CERTs are now treating internet-exposed public-sector and industrial software.

Education entities sat under two pressures this week: the continuing ShinyHunters PeopleSoft campaign that W24 documented landing disproportionately on universities, and a cluster of critical web-application CVEs in software ubiquitous across European universities and student communities — JCE for Joomla (CVE-2026-48907, exploited), phpBB (CVE-2026-48611), Drupal core (CVE-2026-55803, BSI critical) and LiteSpeed shared-hosting (CVE-2026-54420, exploited), all in § 3. The pattern is not a single incident but an attack-surface concentration: the open-source CMS/forum/hosting stack that the education sector runs widely all took critical, partly-exploited disclosures in one week.

One Medical (Amazon) confirmed on 2026-06-13 that an unauthorised party accessed a legacy third-party file-storage system retaining archived records for One Medical Seniors (formerly Iora Health), during a 2026-06-08 to 2026-06-11 window, affecting demographic and clinical records for patients at nine clinics (BankInfoSecurity, 2026-06-19). One Medical states the breach is confined to that legacy system. Separately, ShinyHunters claims theft of 8.8 TB and set a 2026-06-22 negotiation deadline — today — but the company has not confirmed ShinyHunters' involvement or the data volume, and no sample has been released to validate the claim. [SINGLE-SOURCE] — see § 7.

Defender takeaway: ShinyHunters' maximalist-claim-then-short-deadline pattern recurred across multiple victims this week (Kodak, covered 2026-06-20, among them); the confirmed subset is consistently smaller than the claimed one. Audit legacy and "decommissioned" third-party storage that may still hold archival PII/clinical data outside normal operational scope, and keep those systems inside third-party risk assessments. The passing 06-22 deadline is the near-term monitoring trigger: data release would corroborate the 8.8TB vector, silence suggests a pivot to negotiation.

Eastman Kodak acknowledged on 17 June 2026 that "an unauthorized third party illegally gained access to a limited amount of company data," after ShinyHunters listed it on their dark-web leak site on 15 June claiming 2.2 million PII records and set an 18 June contact deadline (SecurityWeek, 2026-06-18; BleepingComputer, 2026-06-17). As of the deadline ShinyHunters had not published samples — consistent with the group's pattern of withholding proof to maximise leverage. Kodak did not disclose the access vector; ShinyHunters' 2026 campaign has leaned on misconfigured Salesforce Experience/Aura guest-user access, Oracle PeopleSoft (CVE-2026-35273) and Snowflake credential stuffing across 100+ victims, with the group claiming a 1.5-billion-record Salesforce corpus (BleepingComputer, 2026-06-17).

Defender takeaway: The Kodak claim is a leak-site listing with limited Kodak confirmation; treat the 2.2 M figure as unverified. The transferable action for CH/EU defenders is the ShinyHunters platform pattern — audit Salesforce Experience Cloud for IsGuestEnabled=true profiles with object-level access to sensitive tables, alert on high-volume SOQL from guest sessions, and enforce IP restriction on Salesforce orgs.

UPDATE (originally covered 2026-06-12/2026-06-13): ShinyHunters listed the Council of Europe — the 46-member Strasbourg human-rights body, of which Switzerland is a member — claiming 297 GB across ~429,000 files taken via the Oracle PeopleSoft Environment Management Hub zero-day CVE-2026-35273, and set a 16 June leak deadline (SecurityWeek, 2026-06-15). This is the first European intergovernmental institution named in the 100+-organisation PeopleSoft campaign previously covered as an education-sector wave.

The claimed dataset spans payroll for 10,000+ current and former staff (2011–2026), 14,000+ CVs, and HR records with names, dates of birth, addresses, bank-account, tax/social-security and medical data. The Council of Europe confirmed it "is currently investigating the matter and assessing the situation" and has not confirmed exfiltration (The Register, 2026-06-15; BleepingComputer, 2026-06-15). The vector — unauthenticated HTTP to the /PSEMHUB/hub servlet (T1190) — is unchanged; treat any externally-reachable PeopleSoft Environment Management Hub as compromised pending forensic review and block perimeter access to /PSEMHUB/*. Confidence on the victim claim is MEDIUM pending Council of Europe confirmation (extortion-site claim).

If you did nothing this week: if you run internet-reachable Oracle PeopleSoft, assume data-theft exposure — the initial-access vector that was merely attacker-asserted last week is now vendor-confirmed as a zero-day, with 100+ organisations already breached.

What was a claim-only story on 11 June became vendor-confirmed within 48 hours. Oracle assigned CVE-2026-35273 (CVSS 9.8), an unauthenticated flaw in the PeopleSoft Environment Management Hub, and shipped an out-of-band patch (Oracle security alert; daily 06-12). Mandiant and Google GTIG then formally attributed the campaign to UNC6240 (ShinyHunters) and confirmed active exploitation against 100+ organisations, with the education sector disproportionately represented; the University of Nottingham quantified roughly 455,000 affected records (Google GTIG; daily 06-13).

This is a direct hit on a sector dense with European public-sector entities — universities and research institutions running PeopleSoft for HR and campus systems. Apply Oracle's out-of-band fix, then assume data exfiltration on any instance that was internet-reachable before patching: review Environment Management Hub access logs, rotate exposed credentials, and prepare for extortion contact, which is ShinyHunters' standard follow-through.

The week's clearest sectoral concentration. Mandiant/GTIG's attribution of the Oracle PeopleSoft zero-day campaign (§ 1) explicitly noted that the education sector was hit hardest, with the University of Nottingham confirming ~455,000 affected records (Google GTIG; daily 06-13). It rhymes with the earlier Oxford University CareerConnect breach, where third-party provider Group GTI's compromise exposed students across multiple UK universities (Oxford; daily 06-09). European higher-education ICT teams running PeopleSoft or relying on shared careers/HR SaaS should treat both as direct warnings.

CrowdStrike's report (published 9 June, distilled in the 06-11 daily) found technology to be the most-targeted sector. Rather than re-recap it, the weekly's lens is corroboration: this very week supplied the evidence. The Shai-Hulud/Atomic Arch supply-chain wave (§ 2), the ShinyHunters PeopleSoft zero-day (§ 1), and the run of AI-developer-platform flaws (Langflow, LangGraph, LiteLLM in § 3) are all attacks on the technology supply chain and the developer toolchain rather than merely through it. For a public-sector SOC the implication is that the technology vendors and open-source components in your stack are themselves now the front line — SBOM-driven component inventory (see § 8) is the prerequisite for reasoning about it.

SimpleHelp, a self-hosted remote-support/RMM platform common in European MSP estates, fails to verify the cryptographic signature of OIDC identity tokens presented at login when OIDC authentication is enabled (Horizon3.ai, 2026-06-12). A remote, unauthenticated attacker who submits a forged, unsigned token carrying arbitrary identity claims obtains a fully authenticated Technician session with no user interaction; because signature verification is skipped entirely, any MFA enforced at the identity provider is also bypassed. SimpleHelp patched it in versions 5.5.16 and the 6.0 RC2 prerelease (Security Notice 2026-05); servers running 5.5.15 and earlier are affected (SimpleHelp, 2026-06-12). Horizon3 published detection IOCs for post-exploitation in MSP environments; neither the vendor notice nor the Horizon3 disclosure states a CVSS score at the time of writing. Maps to T1190 (Exploit Public-Facing Application) and T1078.004 (Valid Accounts). Technician access to an RMM server is a stepping stone into every downstream client estate, which is why MSP-tooling auth bypasses are a recurring initial-access vector. Detection: review SimpleHelp access logs for successful Technician authentications preceded by malformed/no-signature OIDC token exchanges and for new Technician sessions from unfamiliar source ranges. Hardening: patch immediately; until then disable OIDC and require SAML or local auth with MFA, and network-restrict the web interface.

CVE Summary Table

(CVE-2026-35273 carried as § 4 UPDATE; included here for the gate-clearing exploitation picture. CVEs that did not clear a § 2 inclusion gate — GitLab CVE-2026-6552 and the Check Point LangGraph chain — are noted in § 3 / § 7.)

UPDATE (originally covered 2026-06-11): Mandiant and Google GTIG formally attribute the PeopleSoft Environment Management Hub exploitation campaign to UNC6240 (ShinyHunters) and confirm the activity ran from 27 May to 9 June 2026 — predating Oracle's 10 June out-of-band advisory, establishing CVE-2026-35273 (CVSS 9.8) as a zero-day at time of exploitation (Mandiant/GTIG, 2026-06-11). The unauthenticated SSRF→RCE is reached via the /PSEMHUB/hub and /PSIGW/HttpListeningConnector endpoints in PeopleTools 8.61/8.62.

GTIG notified over 100 organisations whose endpoints correlated with exploitation; 68% are higher-education institutions. Post-exploitation, the actor deployed MeshCentral remote-management agents disguised as Azure binaries, used SSH fan-out scripts with PeopleSoft admin credentials for lateral movement, and exfiltrated to the ShinyHunters leak site (Rapid7, 2026-06-12). The University of Nottingham confirmed 454,600 student and alumni records were taken, including passport numbers (University of Nottingham; BleepingComputer, 2026-06-11). CISA added the CVE to KEV on 12 June. Swiss/EU universities running Campus Solutions should treat this as P1 (see § 0 Immediate Action and § 6).

UPDATE (originally covered 2026-06-11): the initial-access vector that was attacker-asserted yesterday is now vendor-confirmed: Oracle assigned CVE-2026-35273 (CVSS 9.8), an unauthenticated RCE in the PeopleTools Environment Management Hub (PSEMHUB, versions 8.61/8.62), and published an out-of-band Security Alert with fixes (Oracle, 2026-06-10; SecurityWeek, 2026-06-11).

Mandiant GTIG formally attributes the campaign to UNC6240 (ShinyHunters), dating exploitation 27 May – 9 June — a zero-day for the full window — and details the post-exploitation chain: customised MeshCentral remote-management agents masquerading as Microsoft Azure components for persistence and C2, and a per-victim _fanout.sh lateral-movement script spraying SSH credentials against internal hosts harvested from /etc/hosts (T1190, T1021.004). Mandiant notified more than 100 organisations with exposed PSEMHUB endpoints; 68 % are higher-education institutions (Mandiant GTIG, 2026-06-11).

The University of Nottingham — confirmed as a victim yesterday — now quantifies the damage: roughly 40 GB exfiltrated covering ~455,000 individuals across its UK, Malaysia and China campuses, including names, contact details, ethnicity, disability, passport and tuition-payment data; the ICO says it is assessing the report (BleepingComputer, 2026-06-11; The Record, 2026-06-11; University of Nottingham, 2026-06-10). Action: see the § 0 callout — patch out-of-band and compromise-assess; yesterday's hardening guidance (default SSH service accounts, PSEMHUB exposure) stands.

ShinyHunters published the DentaQuest dataset this week: 234 GB, 2.6 million records in HIPAA-format ASC X12 claims interchange, including Medicaid IDs (BleepingComputer, 2026-06-04). The DentaQuest extortion arc is the week's clearest demonstration that the ShinyHunters operation monetises pure data theft — no encryption, no backup-based leverage — placing the detection priority at bulk-export monitoring in claims and SaaS systems rather than backup integrity. Additionally, CVE-2026-42251 in KAMSOFT KS-SOMED (hardcoded FTP update-server credentials, allowing trojanised updates to any downstream Polish NHS deployment) underlines the supply-chain-through-update-mechanism risk in healthcare software.

DentaQuest (Sun Life subsidiary, administering dental/vision benefits for ~35 M US Medicaid and Medicare members) confirmed on 1 June that ShinyHunters published 234 GB of stolen data after ransom negotiations broke down (BleepingComputer, 2026-06-04; BankInfoSecurity; daily 2026-06-05). The dataset — published by late May per BankInfoSecurity — is in HIPAA-format ASC X12 claims interchange; names, postal and email addresses, dates of birth, phone numbers, health-insurance details and Medicaid IDs across 2.6 million unique email addresses. DentaQuest has not confirmed the specific attack vector; the extortion pattern (no encryption, hard deadline, publish-on-refusal) is consistent with the broader ShinyHunters vishing-driven SaaS-access campaign that earlier claimed Charter, Carnival, 7-Eleven, Instructure and Wynn Resorts. The operational reminder: this actor has no backup-based leverage — detection must land at the bulk-export stage (anomalous off-hours claims-system bulk downloads; SaaS API token generation; volume spikes on outbound archive transfers).

UPDATE (originally covered 2026-06-02): DentaQuest, a Sun Life subsidiary administering dental and vision benefits for ~35 M US Medicaid, Medicare and employer-plan members, is the latest confirmed named victim of the ShinyHunters data-extortion campaign last covered here on the Charter Communications listing. ShinyHunters listed DentaQuest on 23 May with a 27 May ransom deadline and published 234 GB after the deadline passed unpaid; in a 1 June statement DentaQuest confirmed unauthorised access to "a limited portion of its network" (BleepingComputer, 2026-06-04).

The dataset is HIPAA-format ASC X12 claims interchange — names, postal and email addresses, dates of birth, phone numbers, health-insurance details and Medicaid IDs across 2.6 M unique email addresses (BankInfoSecurity, 2026-06-04). DentaQuest's specific attack vector is not publicly confirmed, but the extortion pattern (extortion-without-encryption, a hard deadline, publish-on-refusal) matches the broader ShinyHunters campaign — several of whose other victims this year were reached through compromised cloud-SaaS (Salesforce) access. The operational reminder for defenders is unchanged: this actor monetises pure exfiltration, so backups do not blunt the leverage — detection has to land at the bulk-export stage (large outbound archive transfers from claims systems; and, where cloud-SaaS access has been the entry point for other victims, off-hours SaaS API token generation and anomalous bulk-export API calls).

UPDATE (originally covered 2026-05-27): After Charter Communications declined to pay, ShinyHunters published the stolen dataset on 30 May. Have I Been Pwned ingested it as 4.9 million unique email addresses, alongside names, phone numbers and physical addresses (Security Affairs, 2026-05-30 · Have I Been Pwned).

A subset of roughly 85,000 records originated from an internal employee directory and included job titles. ShinyHunters had originally claimed 42 million records and customer proprietary network information (CPNI); Charter confirmed the incident but stated no sensitive personal information or CPNI was exfiltrated. As established in prior coverage of the broader ShinyHunters Salesforce campaign, the access pattern is vishing-driven compromise of an employee Microsoft Entra account followed by a Salesforce export. The data is now public.

Carnival Corporation filed substitute notices with state attorneys-general on 2026-05-27 confirming 5,995,277 individuals were affected across Princess Cruises, Holland America Line, Cunard and Costa Cruises — the precise figure is from the Maine Attorney General data-breach filing, with secondary coverage in The Record and The Register. The Register notes that this is materially lower than the 8.7 million records ShinyHunters originally listed against Carnival on Have I Been Pwned — the 5.99 million is the count of individuals with unique notifications, not the row-count of the exfiltrated database, so defender-exposure scope discussions need to distinguish the two. The Maine AG filing records the breach as occurring 2026-04-10 and discovered on 2026-04-14 (PR Newswire's official notice describes 2026-04-14 as the day the security team identified the unauthorized activity); initial access was social engineering against a single employee account. ShinyHunters claimed responsibility on 2026-04-18 and ultimately published the data when the ransom demand was refused. Exposed fields include full name, address, email, phone, date of birth and state-issued ID numbers (driver's-licence and passport numbers). Costa Cruises is Italy-headquartered and Cunard has UK operations — EU-resident passport data is in scope, but no EU DPA notification has surfaced in-window. This is a separate ShinyHunters event from the previously-covered Charter / 7-Eleven Salesforce campaign (covered 2026-05-25 and 2026-05-27); the common pattern is single-account social-engineering footholds and the pay-or-leak extortion model run from the actor's own portal.

Defender takeaway: the kill chain is single-account-social-engineering → bulk data access — no CVE exploitation. For travel / hospitality and public-sector SOCs, focus user-behaviour-analytics rules on anomalous bulk data access by a single user / session (T1530, T1213.003) and on outbound transfer volume from CRM and ID-document repositories. EU GDPR notifications from the Italian (Costa) and UK (Cunard) subsidiaries are the immediate regulatory beat to watch.

UPDATE (originally covered 2026-05-24 / 2026-05-25): Charter Communications (Spectrum) has confirmed it was breached after ShinyHunters listed it and threatened to leak data; Charter notified law enforcement but states that no sensitive personal information or customer proprietary network information (CPNI) was exfiltrated — disputing the actor's claim of 42 million records (BleepingComputer, 2026-05-26; CyberInsider, 2026-05-23). ShinyHunters claims initial access on 1 April 2026 via vishing that compromised an employee Entra account, then bulk-exported customer records from Charter's Salesforce CRM.

Separately, 7-Eleven confirmed its ShinyHunters incident affects roughly 185,000 individuals; BleepingComputer reports the exposed fields as names, dates of birth, email addresses, phone numbers and physical addresses (describing the affected as franchisee-document holders) (BleepingComputer, 2026-05-26), while CyberInsider additionally reports Social Security numbers and driver's licence numbers in the set (CyberInsider, 2026-05-26). The 185,000 figure is not contradictory with the earlier unconfirmed 600,000-record CRM claim. Both intrusions follow the campaign's Salesforce-Aura pattern (vishing → Entra account → CRM export, or unauthenticated /s/sfsites/aura guest-profile queries): audit guest-user object permissions on Experience Cloud, enable Secure Guest User Record Access, restrict SSN/ID fields to named users, and enforce phishing-resistant MFA (FIDO2/passkeys) on SaaS admin accounts.

UPDATE (Salesforce-credential extortion campaign, originally covered 2026-05-19 via the 7-Eleven breach): ShinyHunters listed Charter Communications — operating consumer services under the Spectrum brand — on its leak site around 22–23 May, claiming over 42 million PII records and setting a 27 May negotiation deadline before threatened release (CyberInsider, 2026-05-23). The 42M figure is the actor's own unverified leak-site claim. Charter issued a narrowly-worded statement confirming it is "following security protocols" and "alerting appropriate authorities" while explicitly denying that "sensitive personal information (PI) or customer proprietary network information (CPNI)" was exfiltrated — language calibrated to FCC-protected categories. The exclusion of non-CPNI PII (billing name, address, email) from that denial is conspicuous and leaves room for lower-sensitivity data exposure even if the denial holds.

By our own campaign tracking Charter is the first telco/ISP victim of this wave to respond publicly — an inference from the prior named victims (Instructure, Vimeo, Wynn, Vercel, Medtronic, 7-Eleven), none of them telcos, rather than a claim made by the cited sources. The pattern is consistent with the broader ShinyHunters wave against enterprise Salesforce tenants — abuse of exposed OAuth tokens and misconfigured connected-app / Experience Cloud integrations, not a vulnerability in Salesforce itself — the same vector behind the confirmed 7-Eleven breach (600k records, covered 2026-05-19). The fresh Charter listing is independently corroborated by Troy Hunt's Weekly Update 505, 2026-05-24, which records ShinyHunters' new claimed victims. For CH/EU public bodies running Salesforce: audit connected-app OAuth scopes, rotate long-lived connected-app credentials, restrict Experience/Community Cloud guest-user access, and baseline bulk-object query volumes via Shield Event Monitoring — an anomalous large SELECT against Account/Contact objects is the data-exfiltration signature to alert on.

The campaign that the dailies tracked piecewise resolved into one of the week's clearest victim-acquisition arcs. Start of week: ShinyHunters listed Charter Communications (Spectrum) as a telco victim, threatening ~42M records (2026-05-25). Mid-week: Charter and 7-Eleven both moved from claim to confirmed disclosure, 7-Eleven putting the count at ~185,000 affected (2026-05-27). End of week: Carnival Corporation confirmed a breach exposing passport and driver's-licence numbers across four cruise brands (2026-05-29) — Carnival's own notice states an unauthorised actor "used social engineering to deceive an employee to gain access to a limited portion of the company's IT system," and the Maine Attorney General data-breach filing puts the count at ~5.99M records.

The cross-day point for this audience is the vector, not any single victim: the consistent entry is social-engineering of an employee account into Salesforce / connected-app access, the same operation that earlier claimed Instructure, Vimeo, Wynn Resorts, Vercel and Medtronic. Any organisation with Salesforce-connected apps and OAuth-integrated third parties should re-audit connected-app OAuth scopes and refresh-token lifetimes, and harden help-desk identity verification against voice-phishing.

Complementing the § 2 victim arc, horizon research confirms the campaign now lists 40+ confirmed or claimed victims (key: item:shinyhunters-salesforce-campaign-charter-and-7-eleven-both-c), with Canada Life (insurance carrier, UK/Ireland) and Pitney Bowes confirming breaches in the window, and Canvas/Instructure reported to have paid ransom on 2026-05-12. The relevant law-enforcement context: the FBI and France's BL2C previously seized the ShinyHunters-operated BreachForums portal that served as the campaign's extortion channel (2025-10-10), which briefly interrupted operations before the group rebuilt — a reminder that channel seizures slow but do not stop a credential-extortion operation with this many active victims. No leadership arrests. The unchanged defender action is connected-app OAuth-scope and refresh-token review.

7-Eleven, Inc. confirmed on 2026-05-18 that an unauthorised third party accessed systems storing franchisee documents on 2026-04-08, in a breach claimed by ShinyHunters on or around 2026-04-17 (SecurityWeek, 2026-05-18; Security Affairs, 2026-05-18). ShinyHunters listed over 600,000 Salesforce CRM records covering personal and corporate data from franchise applications, initially demanding a ransom with a 2026-04-21 deadline and then offering the data for sale at $250,000 on a hacker forum. 7-Eleven filed a Maine Attorney General notification dated 2026-05-01 confirming 24 months of IDX identity-theft protection for affected individuals (Maine AG breach notification, 2026-05-01). The Maine filing lists only 2 Maine residents but the ShinyHunters claim covers 600,000+ records globally. SecurityWeek attributes the broader campaign — Instructure (Canvas), Vimeo, Wynn Resorts (21,000 employees), Vercel and Medtronic among confirmed co-victims — not to Salesforce-product vulnerabilities but to phishing, third-party-integration abuse, and customer-side misconfiguration of Salesforce Connected Apps.

Why it matters to us: ShinyHunters is the same actor that hit Instructure last week, with the broader Salesforce-targeting campaign continuing across sectors. The campaign vector is identity-side rather than Salesforce-product-side — Connected App OAuth grant abuse, phishing of admin sessions, mis-scoped third-party SaaS integrations. EU/CH public-sector and finance tenants using Salesforce for partner / supplier / case-management data should audit Connected App OAuth grants (particularly to third-party AI SaaS integrations), enable Salesforce Event Monitoring with alerts on bulk Report Export events and high-volume SOQL API calls, enforce IP-range / Trusted-IP session policies, and consider Salesforce Shield field-level encryption for PII. T1078.004 (Cloud Accounts), T1530 (Data from Cloud Storage Object), T1567.002 (Exfiltration to Cloud Storage).

UPDATE (originally covered 2026-W21): Grafana Labs issued an official 2026-05-18 confirmation of the GitHub Pwn-Request breach previously reported in the 2026-W21 weekly summary (SecurityWeek, 2026-05-18; BleepingComputer, 2026-05-18; The Register, 2026-05-18). The material new disclosures in the 2026-05-18 confirmation: Grafana explicitly states (a) only source code was accessed — "no personal or customer information was stolen"; (b) the incident has not impacted customer systems or operations; (c) the ransom was refused. The technical-mechanism details (pull_request_target workflow misconfiguration, forked-PR injection of a curl command, harvested write-scoped GitHub token, canary-token detection) were previously reported in the 2026-W21 weekly summary citing THN's earlier coverage (The Hacker News, 2026-05-17); they are repeated here as context for defenders who did not catch the weekly. CoinbaseCartel is assessed by THN as an offshoot of the ShinyHunters / Scattered Spider / LAPSUS$ ecosystem and has accumulated ~170 victims since September 2025.

Defender takeaway: Grafana OSS is the de facto monitoring/observability platform in EU/CH public-sector SOC and NOC environments; defenders should monitor non-official Grafana plugin updates and unsigned Grafana agent builds for the next 30 days as a potential supply-chain trojanisation follow-on. The Pwn-Request attack pattern is the same class of CI/CD misconfiguration covered by SentinelOne's Living off the Pipeline taxonomy (referenced 2026-05-16); audit every pull_request_target workflow to ensure no privileged steps run on untrusted-fork code, set permissions: read-all at workflow level and elevate only as needed, and separate privilege-requiring steps into a second workflow_run workflow gated on merged code. MITRE T1195.002 / T1552.004 / T1567.

BigBlueButton — the open-source virtual-classroom platform deployed across German DFN, Swiss SWITCH and pan-European GÉANT academic networks, including cantonal school deployments — disclosed three flaws (weak session-token randomness, API checksum bypass, SSRF) in bbb-web < 3.0.21 / < 3.0.23 (daily 2026-05-19). In parallel, 7-Eleven became the latest named victim of the ShinyHunters Salesforce campaign that also claimed Instructure/Canvas (§ 5) — keeping EdTech SaaS supply-chain exposure live for the universities and cantonal education directorates that depend on these platforms. Patch BigBlueButton to the fixed branches and re-audit Canvas/Instructure-connected OAuth scopes.

7-Eleven confirmed on 2026-05-18 that an unauthorised third party accessed franchise-application records (600,000+) in a breach ShinyHunters claimed in April 2026. The operational point for this audience is the campaign, not the victim: 7-Eleven joins Instructure, Vimeo, Wynn Resorts, Vercel and Medtronic as named victims of the same Salesforce-targeting ShinyHunters operation. Any organisation with Salesforce connected apps and OAuth-integrated third parties should re-audit connected-app scopes and refresh-token lifetimes.

The TeamPCP / Mini Shai-Hulud story spans every working day of 2026-W20 and the daily briefs add a piece each day. Tuesday 2026-05-12: an attacker briefly published what appears to be the complete Shai-Hulud framework source (TypeScript / Bun) to a public GitHub repository attributed to TeamPCP, taken down within hours but mirrored widely; the public source disclosure inverts the threat model — every IDE, EDR, and PR-review vendor now has access to the same artefact the operator was using but defenders must assume new variants will appear with one to two days' lead-time on signatures (Datadog Security Labs static analysis, 2026-05-13; daily 2026-05-15 UPDATE). Wednesday 2026-05-13: Wave 4 hits — 170+ packages / 400+ malicious versions compromised per daily-brief tracking across @tanstack (including react-router, ~12M weekly downloads), @uipath, @mistralai, @opensearch-project, and @guardrails-ai; the Wiz writeup confirms the same TeamPCP / UNC6780 / PCPJack attribution as prior waves (Wiz Blog, 2026-05-11; daily 2026-05-13 UPDATE). Friday 2026-05-15: OpenAI named as a victim; the company enforces code-signing certificate rotation across all macOS apps as remediation (daily 2026-05-15 UPDATE).

What W1 horizon research surfaced that the dailies could not yet see: Datadog's static analysis of the leaked source reveals two new capability classes that change the defender posture. First, IDE persistence via hook entries in .claude/settings.json (Claude Code) and .vscode/tasks.json — allowing arbitrary command execution on developer-workspace events; this is not a build-time supply-chain primitive but a developer-workstation persistence mechanism that survives npm install cleanup and outlives the malicious-package removal. Second, OIDC token extraction directly from /proc/<pid>/mem on GitHub Actions runners, used to forge Sigstore provenance attestations — meaning malicious packages can be published that are indistinguishable from legitimate ones by provenance verification alone. The W19 weekly already flagged ShinyHunters / WorldLeaks as a long-running operator-family pattern; the TeamPCP / Mini Shai-Hulud progression confirms a parallel ecosystem maturing on the npm registry side, now with publication-provenance forgery in the toolset. The leaked framework source materially elevates the risk of secondary operators applying Shai-Hulud-style techniques against other package registries (PyPI, Cargo, Maven Central) in 2026-W21 (Datadog Security Labs).

The defender pivot is two-fold: (1) for DevOps pipelines, provenance verification is necessary but no longer sufficient — supplement with publisher-pinning, two-factor publish enforcement, and post-install hash-pinning; (2) for developer workstations, treat .claude/settings.json / .vscode/tasks.json / equivalent IDE hook files as security-relevant configuration and add them to file-integrity-monitoring scope. The Datadog filesystem indicators (gh-token-monitor daemon process, claude@users.noreply.github.com commits in unexpected repositories, exfil-repo names matching "Shai-Hulud: Here We Go Again") are the right hunt seeds.

The W19 weekly closed with the Canvas / Instructure extortion deadline of 2026-05-12 pending. The trajectory through W20: Tuesday 2026-05-12: Instructure confirmed ransom payment to ShinyHunters with claimed data return and digital confirmation of destruction; second intrusion separately confirmed; per-institution leak deadline reset to the same day (daily 2026-05-12 UPDATE; The Record, 2026-05-12). Wednesday 2026-05-13: the US House Homeland Security Committee (Chairman Garbarino) opened a formal investigation and requested an Instructure CEO briefing by 2026-05-21 covering both intrusion circumstances, scope and nature of accessed data, IR adequacy, and CISA coordination (House Homeland Security Committee letter, 2026-05-11; daily 2026-05-13 UPDATE). Post-payment: ShinyHunters defaced approximately 330 institutional Canvas login pages by re-exploiting the same Free-For-Teacher account vulnerability that enabled the second intrusion — demonstrating that the "no customer extortion" covenant in the ransom agreement was at best narrowly observed and that the access vector was not actually closed (The Record).

The story matters to Swiss / EU public-sector defenders for three reasons that crystallise only across the multi-day arc. First, paying the ransom did not close the access vector: Instructure's patches did not eliminate the Free-For-Teacher abuse path, so the defacement wave is operational evidence that the underlying flaw remained exploitable; this is the "what did the patch actually fix" question every IR-receiving organisation should be asking of every paid-ransom-with-promised-fix vendor. Second, the seven Dutch universities (VU Amsterdam, UvA, Erasmus, Tilburg, TU/e, Maastricht, Twente) disconnected Canvas rather than wait for vendor remediation (NL Times, 2026-05-09) — a defender posture worth pattern-matching for any future SaaS-LMS / SaaS-LRS / SaaS-grade-management vendor compromise. Third, the US House investigation is the regulatory analogue Swiss / EU SOC managers should anticipate from cantonal education ministries; the questions Chairman Garbarino's letter lists (intrusion timeline, data scope, IR adequacy, CISA / national-CSIRT coordination) are the same questions a cantonal Bildungsdirektion will ask after the next EdTech SaaS incident. Outcome of the 2026-05-21 briefing is the open horizon item for 2026-W21.

Full coverage in § 2 (multi-day chain). Status-update register: long-running operator-family pattern continues; wave 4 (170+ packages / 400+ versions per daily-brief tracking) is the largest documented npm-supply-chain wave to date; the leaked framework source materially changes both attacker and defender posture and elevates the risk of secondary operators applying the same techniques against PyPI / Cargo / Maven Central in 2026-W21. The ShinyHunters / WorldLeaks family logged in W19's long-running record (item:shinyhunters-worldleaks-family) overlaps in operator targeting (AI-tooling SaaS, multi-tenant credential aggregation) with TeamPCP's npm-side ecosystem — the two clusters appear to be operating in parallel across the SaaS and registry attack surfaces with no public attribution merging them.

Full coverage in § 2 (multi-day chain). Status-update register: ShinyHunters / WorldLeaks long-running operator pattern (W19 record item:shinyhunters-worldleaks-family) continues; the Canvas case is the operator's first publicly-confirmed ransom-with-broken-non-extortion-covenant precedent and the first US Congressional investigation of an EdTech SaaS supply-chain incident.

Google Threat Intelligence Group published on 2026-05-15 an analysis of UNC6671 — a financially-motivated extortion cluster operating under the "BlackFile" brand since February 2026 — documenting a real-time vishing + adversary-in-the-middle chain that bypasses traditional MFA and pivots to mass SharePoint exfiltration (Google Threat Intelligence Group, 2026-05-15). The chain starts with a phone call placed to a victim's personal mobile number in which an operator impersonates internal IT helpdesk and directs the target to an attacker-registered lookalike single sign-on portal (Tucows-registered hostnames in the <org>.enrollms[.]com and <org>.passkeyms[.]com namespaces); the operator captures credentials and TOTP / push approvals live and immediately registers a new attacker-controlled MFA device for persistent post-vishing access, mapping to T1556 Modify Authentication Process. Post-compromise, BlackFile uses Python requests and PowerShell scripts against the Microsoft Graph API and direct SharePoint file-stream URLs to exfiltrate, with single-victim file counts exceeding one million; the API requests surface Microsoft Office's ClientAppId (d3590ed6-52b3-4102-aeff-aad2292ab01c) in the M365 audit log AppAccessContext field — the same value legitimate Office clients carry — to blend in with normal Office activity. The detection break is the underlying user-agent: legitimate Office clients do not present python-requests/2.28.1 or WindowsPowerShell/5.1 as the user-agent header against Graph or SharePoint endpoints. GTIG also notes that the FileAccessed audit event distinguishes the bulk-API extraction pattern from interactive FileDownloaded events. Geographic focus is North America, Australia, and the UK — but the playbook is language-agnostic; any European helpdesk-fronted M365 / Okta environment is one successful call away from the same outcome. The BlackFile data-leak site went offline in late April 2026 and relaunched on 2026-05-11 with a shutdown announcement, which GTIG assesses as probable rebrand rather than cessation. GTIG explicitly distinguishes UNC6671 from ShinyHunters (UNC6240). MITRE ATT&CK additionally: T1566.004 Spearphishing Voice, T1557 Adversary-in-the-Middle, T1528 Steal Application Access Token. Detection priorities: alert on Okta system.multifactor.factor.setup events not preceded by a user-initiated session; flag M365 audit FileAccessed events with AppAccessContext.ClientAppId == d3590ed6-52b3-4102-aeff-aad2292ab01c AND a user-agent containing python-requests or PowerShell; require Conditional Access compliant-device for Graph API access from administrative accounts; and move helpdesk-privileged accounts to FIDO2 phishing-resistant MFA.

UPDATE (originally covered 2026-05-12): Late on 2026-05-11, US House Homeland Security Committee Chairman Andrew Garbarino sent a formal letter to Instructure CEO Steve Daly ahead of the 2026-05-12 ShinyHunters extortion deadline, demanding a briefing by 2026-05-21 on the circumstances of both Canvas intrusions, the volume of data accessed, containment measures, and coordination with federal law enforcement and CISA (The Record, 2026-05-12; The Register, 2026-05-12).

On 2026-05-12 — before the deadline expired — Instructure confirmed it had "reached an agreement with the unauthorized actor" and received "digital confirmation of data destruction (shred logs)" from ShinyHunters, the operational reliability of which the committee letter explicitly questions. ShinyHunters claims the agreement covers up to 275 million records across roughly 8,800 colleges, universities and K-12 schools (per The Register; The Record cites ~9,000 institutions), including Dutch and Swedish higher-education customers previously confirmed in scope. The second Canvas intrusion is attributed to ShinyHunters exploiting an unpatched flaw in Instructure's "Free-for-Teacher" environment; the initial 2026-04-29 intrusion yielded ~3.6 TB of uncompressed data (usernames, emails, course names, messages). CrowdStrike was retained for forensic analysis.

Defender takeaway: a vendor-side "shred log" is legally non-binding and technically unverifiable; EU institutions must continue to treat the 275M-record dataset as irrevocably compromised for GDPR Art. 33 / data-subject-rights purposes regardless of Instructure's bulk-platform claim. The congressional investigation will likely prompt CISA guidance for higher-education SaaS incident response — relevant context for Swiss universities and EU edtech procurement teams.

UPDATE (originally covered 2026-05-09; updated 2026-05-10): Instructure on 2026-05-11 disclosed that it "reached an agreement with the unauthorized actor" and received "digital confirmation of data destruction (shred logs)" — a ransom payment in everything but name, undisclosed amount, covering the platform-wide ~3.65 TB dataset that ShinyHunters claimed to have lifted from Canvas's Free-for-Teacher tier on 2026-04-29 (Inside Higher Ed, 2026-05-11; Infosecurity Magazine, 2026-05-11).

Two material developments accompany the settlement: (a) Instructure confirmed a second intrusion on 2026-05-07 in which ShinyHunters defaced approximately 330 individual institution login portals via the same Free-for-Teacher vulnerability — the first ITW evidence that the underlying flaw remained exploitable post-patch; (b) ShinyHunters has now reset a per-institution payment deadline to end-of-day 2026-05-12 (today), positioning the central settlement as covering only the bulk dataset while leaving individual institutions exposed to targeted publication (The Register, 2026-05-12). CEO Steve Daly publicly acknowledged delayed external communication ("we got the balance wrong" on disclosure timing). CrowdStrike remains engaged for the IR work.

Operational reality for any European university running Canvas: the "data was destroyed" claim is not technically verifiable — by ransomware-actor practice, the artefact provided is typically a hash list or a video, not a forensically meaningful proof of deletion. The dataset must continue to be treated as compromised in perpetuity for GDPR / Swiss DSG purposes, downstream phishing risk planning, and student-identity exposure communications. Institutions that received the per-institution deadline note should validate that any locally-stored Canvas-derived data (course rosters, communications, gradebooks) is included in the breach-notification scope, regardless of the platform-wide settlement.

The cross-day pattern most visible in 2026-W19 is the ShinyHunters / WorldLeaks operator family's role in four parallel third-party / SaaS-tier compromises with European footprint, all riding the third-party-analytics → cloud-data-warehouse → tenant-data-exfiltration pivot rather than direct attack on the victim's infrastructure. The sequence: Vimeo / Anodot (first covered 2026-05-07) — Vimeo's official statement confirmed customer email addresses were affected via a third-party security incident involving Anodot, an analytics vendor integrated with Vimeo's infrastructure; the Snowflake-and-BigQuery cloud-data-warehouse pivot is attributed to ShinyHunters' extortion claim per BleepingComputer (not Vimeo's own confirmation); BleepingComputer reports approximately 119,000 email addresses exposed; ShinyHunters published the dataset after Vimeo declined extortion (Vimeo official blog, 2026-04-27 · BleepingComputer, 2026-05-06 · The Register, 2026-05-05). Inditex (Zara) (first covered 2026-05-09) — Have I Been Pwned confirmed 197,400 EU customer email addresses exposed via the same Anodot → BigQuery pivot; Inditex confirmed access to email, geographic location, order IDs, support ticket content; ShinyHunters dumped ~140 GB after Inditex declined (SecurityAffairs, 2026-05-08 · BleepingComputer, 2026-05-08 · daily 2026-05-09). ADT Inc. (first covered 2026-05-06) — SEC 8-K filed 2026-04-24 disclosed unauthorised access to certain cloud environments; ShinyHunters claimed the initial-access vector was vishing on an employee Okta SSO account followed by Salesforce data exfiltration (ADT did not confirm the vector) (ADT Newsroom, 2026-04-24 · daily 2026-05-06). Instructure / Canvas (first covered 2026-05-06; expanded each subsequent day — see separate H3 below).

The lesson under PD-11 (less is more) for Swiss / EU public-sector readers: third-party analytics, monitoring, evaluation, and observability integrations holding OAuth or service-account access to production data warehouses (Snowflake, BigQuery, Redshift) are a structural supply-chain attack surface that vendor-assessment checklists routinely miss. Audit delegated access grants for analytics tooling; enforce token scoping and expiry; require provider-side anomaly alerts; and treat any tenant-to-tenant credential propagation pattern (the four incidents above are all that pattern) as warranting a tabletop on revocation timing — Vimeo revoked privileged credentials and access tokens within hours of detection, which is the right reference performance.

Canvas / Instructure is the cleanest example of a campaign chain that accumulated meaningfully different state every day of 2026-W19, and the one a SOC manager carries into Monday morning with an extortion deadline two days out. Day-by-day: 2026-05-06 — Instructure confirmed names, email addresses, student ID numbers, and user-to-user messages accessed; detected API-tool disruption ~2026-04-30; revoked privileged credentials and access tokens; passwords / financial data / government IDs out of scope; ShinyHunters claimed 275 M records across ~9,000 institutions including EU and APAC (BleepingComputer, 2026-05-04 · TechCrunch, 2026-05-05 · SecurityWeek, 2026-05-04 · daily 2026-05-06). 2026-05-07 — individual universities (University of Nevada Reno, University of Pennsylvania ~300,000+ users) began notifying students and staff directly (University of Nevada Reno president message, 2026-05-06 · daily 2026-05-07 UPDATE). 2026-05-08 — SURF (Dutch NREN) confirmed 44 Dutch institutions among victims; attacker posted portal defacements; 2026-05-12 extortion deadline set; Canvas taken offline for emergency patching on 2026-05-07 (NL Times — Canvas hack: student data from 44 Dutch universities and schools taken · The Next Web — largest education data breach in history · daily 2026-05-08 UPDATE). 2026-05-09 — three major UK universities (Oxford, Cambridge, Liverpool — Liverpool notified ICO under GDPR Article 33) issued public statements; UNL confirmed 44 Dutch member institutions; 3 GB sample dump on 2026-05-07 contained course-IDs, student emails, assignment metadata, grade records across four UK institutions; Instructure stated the breach vector was a compromised integration service account for a third-party LTI tool provider (not Canvas core infrastructure). The ShinyHunters / WorldLeaks operator-family attribution and the specific extortion-amount figure carried in the daily UPDATE trace to sources not re-fetched at weekly composition time; readers should consult the daily UPDATE for the citation chain (daily 2026-05-09 UPDATE). 2026-05-10 — ShinyHunters posted a second intrusion notice 2026-05-08 asserting Canvas retained unpatched vulnerabilities permitting re-entry despite the May 8 patches; Instructure confirmed the second breach, rotated application keys, increased monitoring, and required API-client re-authorisation; seven Dutch universities (VU Amsterdam, University of Amsterdam, Erasmus Rotterdam, Tilburg, Eindhoven TU/e, Maastricht, Twente) executed emergency Canvas disconnections on/before 2026-05-09; Dutch DPA (Autoriteit Persoonsgegevens) received an incident report from VU Amsterdam (Techzine EU, 2026-05-08 · DutchNews.nl, 2026-05-08 · daily 2026-05-10 UPDATE).

State at week-end: 2026-05-12 extortion deadline is Tuesday (two days out); no ransom paid as of 2026-05-09 06:00 UTC; if the second-intrusion claim verifies, Instructure's remediation was incomplete and the data-release threat is materially more credible. European universities running Canvas should treat credential-stuffing risk on stolen student / staff emails as active; audit third-party LTI integrations and revoke service accounts for unused integrations; watch for follow-on phishing campaigns referencing course content. GDPR Article 33/34 notification clocks run from the date Instructure provided scope confirmation to the institution.

The Internet Organised Crime Threat Assessment 2026 (published 2026-04-28) was Europol's first IOCTA to identify the interweaving of state-sponsored hybrid threats with criminal actors as the defining strategic risk for EU public-sector defenders. The cross-finding pattern between IOCTA's framing and the rest of 2026-W19 is unusually direct: the WorldLeaks / ShinyHunters operator family targeting government identity registries and politically significant EU media entities, the named-cluster attribution on Polish water OT to APT28 + APT29 + UNC1151 sharing initial access tradecraft with hacktivist information operations, and the Bauman / GRU pipeline investigation (§ 7) all illustrate the convergence IOCTA flagged. For public-sector procurement and identity-management functions specifically, IOCTA's identification of public institutions, major technology companies, and EU citizens' personal data as primary risk targets matches the week's incident concentration exactly. (Europol IOCTA, 2026-04-28; daily 2026-05-06 first coverage).

Current state: most-active operator family of 2026-W19. Confirmed parallel involvement across Vimeo/Anodot, Inditex/Zara/Anodot, ADT/Okta-SSO/Salesforce, and Canvas/Instructure (second-intrusion claim despite May 8 patches). The architectural pattern across these incidents — third-party analytics, BI, integration, or LTI service accounts holding broad read access to tenant data — is consistent and converging. The Canvas/Instructure extortion deadline is 2026-05-12 (two days out at week-end). Outstanding defender question: which AI-tooling SaaS or analytics SaaS vendor will be the next confirmed pivot point. (See § 2 multi-day chain.)

UPDATE (originally covered 2026-05-08; previous UPDATE 2026-05-09): ShinyHunters posted a second intrusion notice around 2026-05-08 asserting Instructure's Canvas LMS retained unpatched vulnerabilities allowing re-entry despite the company's earlier security-patch deployment (Techzine EU, 2026-05-08 · DutchNews.nl, 2026-05-08). Instructure confirmed the second breach, rotated application keys, increased monitoring, and required API-client re-authorisation across its customer base.

Seven Dutch universities — VU Amsterdam, University of Amsterdam, Erasmus University Rotterdam, Tilburg University, Eindhoven University of Technology (TU/e), Maastricht University, and University of Twente — executed emergency Canvas disconnections on or before 2026-05-09 after the attackers claimed continued active access. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) received an incident report from VU Amsterdam.

The 2026-05-12 extortion deadline remains active — two days from publication. ShinyHunters's original claim cited 275 million records (names, email addresses, student IDs, private messages) across thousands of educational institutions worldwide (Techzine EU, 2026-05-08); if the second-intrusion claim is verified, Instructure's remediation was incomplete and the data-release threat is materially more credible. Defenders at European universities using Canvas should treat credential-stuffing risk on stolen student / staff emails as active, audit third-party LTI integrations, and watch for follow-on phishing campaigns referencing course content.

Have I Been Pwned confirmed on 2026-05-08 that 197,400 unique email addresses from Inditex (Zara's parent, headquartered in A Coruña, Spain) were exposed following a breach of a former third-party analytics provider. Inditex confirmed attackers accessed customer relationship data — email addresses, geographic locations, purchase history (order IDs and product SKUs), and support ticket content — across international markets (SecurityAffairs, 2026-05-08 · BleepingComputer, 2026-05-08). Names, passwords, payment card data, addresses, and phone numbers were stated to be out of scope. ShinyHunters claimed responsibility, alleging access via compromised authentication tokens for the Anodot analytics platform against BigQuery instances; this claim has not been independently verified. Data publication (approximately 140 GB) followed after Inditex declined to engage. Inditex stated it had "started notifying the relevant authorities" but did not specify which supervisory authority or whether the GDPR Article 33 72-hour notification clock was met; as a Spanish company the lead supervisory authority is the AEPD.

Defender takeaway: Third-party analytics and BI platforms with OAuth or service-account access to production data warehouses (BigQuery, Snowflake, Redshift) represent a persistent supply-chain data-exfiltration vector. Audit delegated access grants for analytics tooling; enforce token scoping and expiry; review whether analytics platform service accounts have read-all access to customer-facing databases.