ShinyHunters says it stole several slices of data from Panera Bread, but that’s just the yeast of everyone’s problems. The extortionist gang also claims to have stolen data from CarMax and Edmunds, in addition to three other organizations it posted to its blog last week.
The criminals’ claims, seen by The Register and also shared on Daily Dark Web, allege that they stole more than 14 million records from casual bakery-cafe chain Panera Bread, including names, email and home addresses, phone numbers and account details totaling 760 MB of compressed data. They allegedly stole similar types of personally identifiable information (PII) from used-car-buying platform CarMax (over 500,000 records totaling 1.7 GB compressed), and vehicle-review site Edmunds (“millions” of records totaling 12 GB compressed).
None of the three companies immediately responded to The Register‘s inquiries.
ShinyHunters told us that it gained access to Panera via a Microsoft Entra single-sign-on (SSO) code, while the CarMax and Edmunds breaches were from earlier, unrelated intrusions.
Scattered Lapsus$ Hunters, which has ties to ShinyHunters, posted CarMax on its now-defunct data-leak site in the fall, and at the time said it was among the dozens of companies’ Salesforce environments it had compromised.
Last week, Okta warned about cybercriminals stealing Okta, Microsoft, and Google SSO codes in a new rash of voice-phishing campaigns. A Microsoft spokesperson told The Register that Redmond “does not have anything to share at this time.” And a Google spokesperson said: “At this time, we have no indication that Google itself or its products are affected by this campaign.”
‘New, ongoing campaign’
The new alleged data breach victims join ShinyHunters’ claimed intrusions posted last week: Crunchbase, SoundCloud, and Betterment. According to the crime crew’s Friday blog post, these three earlier file-stealing operations netted the crooks more than 50 million records total. ShinyHunters told The Register that it gained access to two of the three – Crunchbase and Betterment – by voice-phishing Okta single-sign-on codes.
This combines social-engineering phone calls with real-time phishing kits. The attacker typically impersonates IT support to trick employees into entering their credentials on a fake website that looks like the real Okta login page, allowing the attacker to steal passwords and bypass users’ multi-factor authentication (MFA) in real time.
While neither Crunchbase nor Betterment responded to The Register‘s requests for comment, earlier this month, Betterment said an “unauthorized individual” gained access to “certain Betterment systems through social engineering” on January 9.
“The unauthorized access involved third-party software platforms that Betterment uses to support our marketing and operations,” the fintech firm said in a January 12 security update. “Once they gained access, the unauthorized individual was able to send a fraudulent, crypto-related message that appeared to come from Betterment to a subset of our customers.”
Hudson Rock co-founder and CTO Alon Gal last week said he downloaded the Crunchbase leak and it showed PII, signed contracts, and other corporate data.
On Monday, Silent Push threat hunters said ShinyHunters’ latest credential-stealing campaign targeted around 100 organizations, and the researchers also published a list of companies across which they have “detected active targeting or infrastructure preparation directed at your domain” in the last 30 days.
“We have no intel to share on any specific attacks and are unable to confirm if any have been successful,” Silent Push senior threat researcher Zach Edwards told The Register on Monday. “We do believe the orgs we’ve listed on our public blog have been targeted.”
Also on Monday, Mandiant Consulting CTO Charles Carmakal told The Register that the Google-owned threat investigators are tracking a “new, ongoing ShinyHunters-branded campaign” that uses voice-phishing techniques to steal SSO credentials. ®