ShinyHunters Targets Education, Healthcare and Telecom in Major Data Breach Wave

The ShinyHunters threat group escalated attacks this week targeting 275 million education records, 5.5 million ADT customers, and major telecommunications providers through social engineering campaigns.

This week's threat landscape was dominated by ShinyHunters, an active threat group that has been involved in a significant number of data breaches since 2019. The group orchestrated multiple high-impact attacks across education, healthcare, and telecommunications sectors, demonstrating sophisticated social engineering tactics that bypassed traditional security controls.

Education Sector Under Siege: 275 Million Records Compromised

The most significant breach involved Instructure's Canvas learning management platform, used by 41 percent of higher education institutions in North America. ShinyHunters claimed theft of 275 million user records and 3.65 terabytes of data spanning 8,809 schools, universities, and education platforms. The attack was particularly brazen: after Instructure publicly stated the incident was "resolved," ShinyHunters re-compromised Canvas, redirecting university pages to ransom messages during finals week.

The breach included names, email addresses, student IDs, and a large volume of private messages from the Canvas LMS. This represents a new category of identity threat where academic communications and learning data create long-term exposure risks for students entering the workforce.

Healthcare and Critical Infrastructure Breaches Escalate

ADT, a major home security provider, suffered a breach affecting 5.5 million individuals after ShinyHunters compromised an employee's Okta single sign-on account via voice phishing. The attack highlights how threat actors are targeting identity infrastructure to access customer databases housed in cloud platforms like Salesforce.

Healthcare providers faced multiple incidents, with NYC Health + Hospitals experiencing a vendor breach exposing medical records, Social Security numbers, and biometric fingerprints. A stolen fingerprint cannot be changed, making biometric exposure permanent and the clearest case for protecting data at rest.

Telecommunications Under Voice Phishing Assault

Charter Communications suffered a data breach affecting 4.9 million email addresses, with names, phone numbers, physical addresses, and employee directory records exposed. The attack occurred through voice phishing that compromised an employee's Microsoft Entra account, enabling access to customer data in Salesforce environments.

BCD Travel was also targeted, with ShinyHunters warning of leaking over 700,000 Salesforce records and corporate SharePoint data unless negotiations were initiated by June 1, 2026.

What Individuals Should Do

Monitor educational and healthcare accounts for unauthorized access, particularly Canvas logins and medical portal activity. Set up account alerts where available and review privacy settings on learning platforms. Consider that academic records from this breach may surface in future social engineering attacks targeting your professional career. If you received ADT or Charter Communications breach notifications, monitor credit reports and consider placing fraud alerts on your accounts.

What Businesses Should Do

Implement comprehensive voice phishing training programs immediately. ShinyHunters' attacks relied on voice-phishing campaigns that tricked employees into divulging SSO credentials and multi-factor authentication codes. Review access controls for cloud platforms, particularly Salesforce and Microsoft environments. Establish out-of-band verification procedures for credential requests and consider implementing phishing-resistant MFA methods. Audit third-party vendor access to customer data and ensure contractual breach notification requirements align with your incident response timeline.