ctipilot.ch

Medtronic

incident · incident:medtronic-shinyhunters-corporate-it-breach single-source

Medtronic — ShinyHunters-claimed corporate-IT breach; ~9M notified

Coverage timeline
4
first 2026-05-18 → last 2026-07-03
Entries
4
4 distinct days
Sources cited
7
7 hosts
Sections touched
3
active-threats, updates, weekly-incidents-recap
Co-occurring entities
1
see Related entities below
2026-05-184 appearances2026-07-03

Story timeline

  1. 2026-07-03Medtronic notifies ~9 million people of a ShinyHunters-claimed corporate-IT breach — 2.5 months after containment
    active-threatsMedtronic notifies ~9 million people of a ShinyHunters-claimed corporate-IT breach — 2.5 months after containment
  2. 2026-05-25ShinyHunters lists Charter Communications (Spectrum) — telco victim in the Salesforce-credential campaign
    updatesShinyHunters lists Charter Communications (Spectrum) — telco victim in the Salesforce-credential campaign
  3. 2026-05-197-Eleven confirms ShinyHunters breach of 600,000+ Salesforce franchise-application records — same campaign as Instructure, Vimeo, Wynn Resorts, Vercel, Medtronic
    active-threats7-Eleven confirms ShinyHunters breach of 600,000+ Salesforce franchise-application records — same campaign as Instructure, Vimeo, Wynn Resorts, Vercel
  4. 2026-05-187-Eleven — ShinyHunters Salesforce campaign claims another 600,000+ records
    weekly-incidents-recap7-Eleven — ShinyHunters Salesforce campaign claims another 600,000+ records

Where this entity is cited

  • active-threats2
  • weekly-incidents-recap1
  • updates1

Source distribution

  • bleepingcomputer.com1 (14%)
  • cyberinsider.com1 (14%)
  • maine.gov1 (14%)
  • securityaffairs.com1 (14%)
  • securityweek.com1 (14%)
  • theregister.com1 (14%)
  • troyhunt.com1 (14%)

Related entities

Entries about Medtronic (4)

2026-07-03 · view entry permalink →

Medtronic notifies ~9 million people of a ShinyHunters-claimed corporate-IT breach — 2.5 months after containment

high incident discovered 2026-07-03 04:48 UTC

Medical-device manufacturer Medtronic began notifying customers on 2026-07-02 of a breach the ShinyHunters extortion group first claimed in April. Medtronic's investigation found an unauthorized actor accessed certain corporate IT systems between 2026-04-13 and 2026-04-19 after unusual activity was noticed on 2026-04-15; ShinyHunters listed the company on its leak portal on 2026-04-18 claiming ~9 million records (names, contact details, dates of birth, Social Security numbers, health-related information) and later pulled the entry — consistent with the group's pattern after a ransom is paid (BleepingComputer, 2026-07-02). Medtronic states it found "no evidence" the data was published, and that the compromised corporate systems were segregated from device-operating networks so therapy delivery was unaffected (The Register, 2026-07-02). No initial-access vector is disclosed. This is the same ShinyHunters cluster behind the recent Salesforce/PeopleSoft-adjacent extortion wave (Nissan, NAIC — see prior coverage), but a corporate-IT compromise rather than the SaaS-integration pattern seen elsewhere; the source does not confirm shared tradecraft.

“The investigation determined that from April 13 to April 19, 2026, an unauthorized actor accessed certain Medtronic corporate IT systems.” — BleepingComputer

“Based on our investigation, this incident did not impact the ability of any Medtronic device to operate safely and deliver intended therapy.” — The Register

data-breach organized-crime us global

2026-05-25 · view entry permalink →

ShinyHunters lists Charter Communications (Spectrum) — telco victim in the Salesforce-credential campaign

UPDATE — originally covered 7-Eleven confirms ShinyHunters breach of 600,000+ Salesforce franchise-application records — same campaign as Instructure, Vimeo, Wynn Resorts, Vercel, Medtronic (2026-05-19)

high incident discovered 2026-05-25 05:00 UTC

UPDATE (Salesforce-credential extortion campaign, originally covered 2026-05-19 via the 7-Eleven breach): ShinyHunters listed Charter Communications — operating consumer services under the Spectrum brand — on its leak site around 22–23 May, claiming over 42 million PII records and setting a 27 May negotiation deadline before threatened release (CyberInsider, 2026-05-23). The 42M figure is the actor's own unverified leak-site claim. Charter issued a narrowly-worded statement confirming it is "following security protocols" and "alerting appropriate authorities" while explicitly denying that "sensitive personal information (PI) or customer proprietary network information (CPNI)" was exfiltrated — language calibrated to FCC-protected categories. The exclusion of non-CPNI PII (billing name, address, email) from that denial is conspicuous and leaves room for lower-sensitivity data exposure even if the denial holds.

By our own campaign tracking Charter is the first telco/ISP victim of this wave to respond publicly — an inference from the prior named victims (Instructure, Vimeo, Wynn, Vercel, Medtronic, 7-Eleven), none of them telcos, rather than a claim made by the cited sources. The pattern is consistent with the broader ShinyHunters wave against enterprise Salesforce tenants — abuse of exposed OAuth tokens and misconfigured connected-app / Experience Cloud integrations, not a vulnerability in Salesforce itself — the same vector behind the confirmed 7-Eleven breach (600k records, covered 2026-05-19). The fresh Charter listing is independently corroborated by Troy Hunt's Weekly Update 505, 2026-05-24, which records ShinyHunters' new claimed victims. For CH/EU public bodies running Salesforce: audit connected-app OAuth scopes, rotate long-lived connected-app credentials, restrict Experience/Community Cloud guest-user access, and baseline bulk-object query volumes via Shield Event Monitoring — an anomalous large SELECT against Account/Contact objects is the data-exfiltration signature to alert on.

data-breach organized-crime identity cloud us global

2026-05-19 · view entry permalink →

7-Eleven confirms ShinyHunters breach of 600,000+ Salesforce franchise-application records — same campaign as Instructure, Vimeo, Wynn Resorts, Vercel, Medtronic

high incident discovered 2026-05-19 05:00 UTC

7-Eleven, Inc. confirmed on 2026-05-18 that an unauthorised third party accessed systems storing franchisee documents on 2026-04-08, in a breach claimed by ShinyHunters on or around 2026-04-17 (SecurityWeek, 2026-05-18; Security Affairs, 2026-05-18). ShinyHunters listed over 600,000 Salesforce CRM records covering personal and corporate data from franchise applications, initially demanding a ransom with a 2026-04-21 deadline and then offering the data for sale at $250,000 on a hacker forum. 7-Eleven filed a Maine Attorney General notification dated 2026-05-01 confirming 24 months of IDX identity-theft protection for affected individuals (Maine AG breach notification, 2026-05-01). The Maine filing lists only 2 Maine residents but the ShinyHunters claim covers 600,000+ records globally. SecurityWeek attributes the broader campaign — Instructure (Canvas), Vimeo, Wynn Resorts (21,000 employees), Vercel and Medtronic among confirmed co-victims — not to Salesforce-product vulnerabilities but to phishing, third-party-integration abuse, and customer-side misconfiguration of Salesforce Connected Apps.

Why it matters to us: ShinyHunters is the same actor that hit Instructure last week, with the broader Salesforce-targeting campaign continuing across sectors. The campaign vector is identity-side rather than Salesforce-product-side — Connected App OAuth grant abuse, phishing of admin sessions, mis-scoped third-party SaaS integrations. EU/CH public-sector and finance tenants using Salesforce for partner / supplier / case-management data should audit Connected App OAuth grants (particularly to third-party AI SaaS integrations), enable Salesforce Event Monitoring with alerts on bulk Report Export events and high-volume SOQL API calls, enforce IP-range / Trusted-IP session policies, and consider Salesforce Shield field-level encryption for PII. T1078.004 (Cloud Accounts), T1530 (Data from Cloud Storage Object), T1567.002 (Exfiltration to Cloud Storage).

“7-Eleven confirmed a breach after ShinyHunters claimed theft of over 600,000 Salesforce records and franchisee data” — Security Affairs

“The intrusions resulted from phishing, abuse of third-party integrations, or misconfigurations, rather than vulnerabilities in Salesforce products” — SecurityWeek

data-breach identity cloud organized-crime global europe us

2026-05-18 · view entry permalink →

7-Eleven — ShinyHunters Salesforce campaign claims another 600,000+ records

notable incident discovered 2026-05-18 05:00 UTC single-source

7-Eleven confirmed on 2026-05-18 that an unauthorised third party accessed franchise-application records (600,000+) in a breach ShinyHunters claimed in April 2026. The operational point for this audience is the campaign, not the victim: 7-Eleven joins Instructure, Vimeo, Wynn Resorts, Vercel and Medtronic as named victims of the same Salesforce-targeting ShinyHunters operation. Any organisation with Salesforce connected apps and OAuth-integrated third parties should re-audit connected-app scopes and refresh-token lifetimes.

data-breach identity cloud organized-crime global europe