ctipilot.ch

Medtronic — ShinyHunters-claimed corporate-IT breach; ~9M notified

incident · item:medtronic-shinyhunters-corporate-it-breach

Coverage timeline
1
first 2026-07-03 → last 2026-07-03
Briefs
1
1 distinct
Sources cited
10
8 hosts
Sections touched
1
active_threats
Co-occurring entities
8
see Related entities below

Story timeline

  1. 2026-07-03CTI Daily Brief — 2026-07-03
    active_threatsFirst coverage: ShinyHunters accessed Medtronic corporate IT 2026-04-13..19; ~9M records (SSN/DOB/health); devices segregated/unaffected; notification 2.5 months post-containment.

Where this entity is cited

  • active_threats1

Source distribution

  • bleepingcomputer.com2 (20%)
  • maine.gov2 (20%)
  • cyberinsider.com1 (10%)
  • prnewswire.com1 (10%)
  • securityaffairs.com1 (10%)
  • securityweek.com1 (10%)
  • theregister.com1 (10%)
  • troyhunt.com1 (10%)

Related entities

All cited sources (10)

Items in briefs about Medtronic — ShinyHunters-claimed corporate-IT breach; ~9M notified (5)

Medtronic notifies ~9 million people of a ShinyHunters-claimed corporate-IT breach — 2.5 months after containment

From CTI Daily Brief — 2026-07-03 · published 2026-07-03 · view item permalink →

Medical-device manufacturer Medtronic began notifying customers on 2026-07-02 of a breach the ShinyHunters extortion group first claimed in April. Medtronic's investigation found an unauthorized actor accessed certain corporate IT systems between 2026-04-13 and 2026-04-19 after unusual activity was noticed on 2026-04-15; ShinyHunters listed the company on its leak portal on 2026-04-18 claiming ~9 million records (names, contact details, dates of birth, Social Security numbers, health-related information) and later pulled the entry — consistent with the group's pattern after a ransom is paid (BleepingComputer, 2026-07-02). Medtronic states it found "no evidence" the data was published, and that the compromised corporate systems were segregated from device-operating networks so therapy delivery was unaffected (The Register, 2026-07-02). No initial-access vector is disclosed. This is the same ShinyHunters cluster behind the recent Salesforce/PeopleSoft-adjacent extortion wave (Nissan, NAIC — see prior coverage), but a corporate-IT compromise rather than the SaaS-integration pattern seen elsewhere; the source does not confirm shared tradecraft.

Defender takeaway: a delisted extortion-portal entry is not proof of data destruction — treat any listed-then-delisted victim as presumptively breached and monitor for downstream credential-stuffing and DOB/PII-driven targeted phishing regardless of ransom outcome. The 2.5-month detection-to-notification gap is worth benchmarking against your own breach-notification SLAs.

UPDATE: ShinyHunters lists Charter Communications (Spectrum) — telco victim in the Salesforce-credential campaign

From CTI Daily Brief — 2026-05-25 · published 2026-05-25 · view item permalink →

UPDATE (Salesforce-credential extortion campaign, originally covered 2026-05-19 via the 7-Eleven breach): ShinyHunters listed Charter Communications — operating consumer services under the Spectrum brand — on its leak site around 22–23 May, claiming over 42 million PII records and setting a 27 May negotiation deadline before threatened release (CyberInsider, 2026-05-23). The 42M figure is the actor's own unverified leak-site claim. Charter issued a narrowly-worded statement confirming it is "following security protocols" and "alerting appropriate authorities" while explicitly denying that "sensitive personal information (PI) or customer proprietary network information (CPNI)" was exfiltrated — language calibrated to FCC-protected categories. The exclusion of non-CPNI PII (billing name, address, email) from that denial is conspicuous and leaves room for lower-sensitivity data exposure even if the denial holds.

By our own campaign tracking Charter is the first telco/ISP victim of this wave to respond publicly — an inference from the prior named victims (Instructure, Vimeo, Wynn, Vercel, Medtronic, 7-Eleven), none of them telcos, rather than a claim made by the cited sources. The pattern is consistent with the broader ShinyHunters wave against enterprise Salesforce tenants — abuse of exposed OAuth tokens and misconfigured connected-app / Experience Cloud integrations, not a vulnerability in Salesforce itself — the same vector behind the confirmed 7-Eleven breach (600k records, covered 2026-05-19). The fresh Charter listing is independently corroborated by Troy Hunt's Weekly Update 505, 2026-05-24, which records ShinyHunters' new claimed victims. For CH/EU public bodies running Salesforce: audit connected-app OAuth scopes, rotate long-lived connected-app credentials, restrict Experience/Community Cloud guest-user access, and baseline bulk-object query volumes via Shield Event Monitoring — an anomalous large SELECT against Account/Contact objects is the data-exfiltration signature to alert on.

ShinyHunters Salesforce-credential extortion — three named victims confirmed across the week, capped by Carnival's 5.99M-record disclosure

From CTI Weekly Summary — 2026-W22 (May 25 – May 31, 2026) · published 2026-05-25 · view item permalink →

The campaign that the dailies tracked piecewise resolved into one of the week's clearest victim-acquisition arcs. Start of week: ShinyHunters listed Charter Communications (Spectrum) as a telco victim, threatening ~42M records (2026-05-25). Mid-week: Charter and 7-Eleven both moved from claim to confirmed disclosure, 7-Eleven putting the count at ~185,000 affected (2026-05-27). End of week: Carnival Corporation confirmed a breach exposing passport and driver's-licence numbers across four cruise brands (2026-05-29) — Carnival's own notice states an unauthorised actor "used social engineering to deceive an employee to gain access to a limited portion of the company's IT system," and the Maine Attorney General data-breach filing puts the count at ~5.99M records.

The cross-day point for this audience is the vector, not any single victim: the consistent entry is social-engineering of an employee account into Salesforce / connected-app access, the same operation that earlier claimed Instructure, Vimeo, Wynn Resorts, Vercel and Medtronic. Any organisation with Salesforce-connected apps and OAuth-integrated third parties should re-audit connected-app OAuth scopes and refresh-token lifetimes, and harden help-desk identity verification against voice-phishing.

7-Eleven confirms ShinyHunters breach of 600,000+ Salesforce franchise-application records — same campaign as Instructure, Vimeo, Wynn Resorts, Vercel, Medtronic

From CTI Daily Brief — 2026-05-19 · published 2026-05-19 · view item permalink →

7-Eleven, Inc. confirmed on 2026-05-18 that an unauthorised third party accessed systems storing franchisee documents on 2026-04-08, in a breach claimed by ShinyHunters on or around 2026-04-17 (SecurityWeek, 2026-05-18; Security Affairs, 2026-05-18). ShinyHunters listed over 600,000 Salesforce CRM records covering personal and corporate data from franchise applications, initially demanding a ransom with a 2026-04-21 deadline and then offering the data for sale at $250,000 on a hacker forum. 7-Eleven filed a Maine Attorney General notification dated 2026-05-01 confirming 24 months of IDX identity-theft protection for affected individuals (Maine AG breach notification, 2026-05-01). The Maine filing lists only 2 Maine residents but the ShinyHunters claim covers 600,000+ records globally. SecurityWeek attributes the broader campaign — Instructure (Canvas), Vimeo, Wynn Resorts (21,000 employees), Vercel and Medtronic among confirmed co-victims — not to Salesforce-product vulnerabilities but to phishing, third-party-integration abuse, and customer-side misconfiguration of Salesforce Connected Apps.

Why it matters to us: ShinyHunters is the same actor that hit Instructure last week, with the broader Salesforce-targeting campaign continuing across sectors. The campaign vector is identity-side rather than Salesforce-product-side — Connected App OAuth grant abuse, phishing of admin sessions, mis-scoped third-party SaaS integrations. EU/CH public-sector and finance tenants using Salesforce for partner / supplier / case-management data should audit Connected App OAuth grants (particularly to third-party AI SaaS integrations), enable Salesforce Event Monitoring with alerts on bulk Report Export events and high-volume SOQL API calls, enforce IP-range / Trusted-IP session policies, and consider Salesforce Shield field-level encryption for PII. T1078.004 (Cloud Accounts), T1530 (Data from Cloud Storage Object), T1567.002 (Exfiltration to Cloud Storage).

7-Eleven — ShinyHunters Salesforce campaign claims another 600,000+ records

From CTI Weekly Summary — 2026-W21 (May 18 – May 24, 2026) · published 2026-05-18 · view item permalink →

7-Eleven confirmed on 2026-05-18 that an unauthorised third party accessed franchise-application records (600,000+) in a breach ShinyHunters claimed in April 2026. The operational point for this audience is the campaign, not the victim: 7-Eleven joins Instructure, Vimeo, Wynn Resorts, Vercel and Medtronic as named victims of the same Salesforce-targeting ShinyHunters operation. Any organisation with Salesforce connected apps and OAuth-integrated third parties should re-audit connected-app scopes and refresh-token lifetimes.