You have a firewall. You have antivirus software. You might even have a whole IT team.
And yet, a hacking group called ShinyHunters has still managed to breach over 300 organizations, expose billions of records, and walk away with data from Ticketmaster, Canvas, and most recently Charter Communications (Spectrum). How? They skipped the firewall entirely. They went straight to your people.
ShinyHunters is not a shadowy team of genius coders cracking unbreakable encryption in a darkened room. They are opportunists who figured out that the most reliable way into a company is through a human being, and human beings can be fooled.
The Uncomfortable Truth About Breaches
Here is a number worth sitting with:
95% of data breaches in 2024 involved human error, according to a study by Mimecast. The Verizon Data Breach Investigations Report puts the figure at around 68%, using a stricter definition. Either way, the message is consistent. The technology is often fine. The people are the gap.
This is not a criticism of your staff. It is an acknowledgment that attackers are patient, creative, and very good at exploiting normal human behaviors like trust, helpfulness, and the instinct to act quickly when something seems urgent.
How ShinyHunters Get In
ShinyHunters does not kick down the front door. They knock politely and wait for someone to let them in.
With the most recent Charter Communications (Spectrum) breach, they just phoned an employee and used voice phishing to talk their way into the company's systems. No malware required, just a convincing voice and an unsuspecting worker on the other end of the line. Once inside, they exported millions of records directly from Charter’s database.
The pattern is consistent across their campaigns. A person is the entry point.
A Quiet Walk Through Your Data
Once they are in, ShinyHunters does not immediately set off alarms. This is perhaps the most unsettling part of how they operate.
After gaining access through a single compromised account, they move quietly and methodically through connected systems. This is called lateral movement, and it is exactly what it sounds like. They start with one credential, discover what that account has access to, and use it to reach other systems, other accounts, and eventually the data they came for.
The average time to identify a breach is 181 days.
In the Charter attack, attackers maintained undetected access for nearly 6 weeks before the company realized anything had happened. That is 6 weeks of quiet exploration, mapping your systems, and deciding what to take.
The outcome was that ShinyHunters published the full 42 million records after ransom negotiations broke down, with the group stating, "the company failed to reach an agreement with us despite our incredible patience."
What You Can Do About It
The good news is that these attacks can be prevented. The steps below are not novel or expensive. They are best practices that consistently make the difference.
Turn on MFA and use SSO properly.
Multi-factor authentication (MFA) is the single most effective barrier against credential-based attacks. When ShinyHunters accessed customer accounts during the Snowflake breach, every affected account lacked MFA. If someone steals your password, MFA means they still cannot get in without that second factor, whether that is an app notification, a hardware key, or a passkey.
Single sign-on (SSO) reduces the number of places your employees need to use passwords, which reduces the number of places where those passwords can be stolen or reused. Fewer doors mean fewer ways in.
Train your people, then test them.
Security awareness training that sticks is more than an annual video nobody watches. Regular, short, engaging training on how to spot phishing emails, suspicious phone calls, and unusual requests makes a measurable difference.
Phishing simulations, where your own team sends fake phishing emails to employees, take this further. Not to catch people failing or embarrassing them, but to show them what a convincing attack looks like before a real one arrives. The goal is to build the habit of pausing before clicking, and to make that pause feel natural rather than paranoid.
Build policies that make exfiltration harder.
Once an attacker is inside, your job is to slow them down and limit what they can reach. A few practical policies make a significant difference.
Least privilege access means employees only have access to the systems and data they genuinely need for their role. If an attacker compromises a marketing coordinator's account, they should not be able to reach your financial systems or customer database. Compartmentalizing access limits the blast radius when something goes wrong.
Data loss prevention tools can flag or block large downloads, unusual file transfers, or data being sent to personal email accounts. These are the kinds of behaviors that show up when someone is quietly exfiltrating records.
Create a culture where people can say "I think I made a mistake."
When an employee clicks on a suspicious link, the best outcome is that they immediately tell someone. The worst outcome is that they say nothing because they are afraid of being blamed, embarrassed, or disciplined.
ShinyHunters counts on silence. Every hour that passes after a compromise without anyone knowing is an hour they can use to move further into your systems.
Building a security culture means making it genuinely safe to report mistakes. A "see something, say something" environment where people are praised for flagging odd emails or phone calls, not just when they avoided them but even when they did not, is one of the most powerful tools you have. Fast reporting turns a potential catastrophe into a manageable incident.
The Bigger Picture
ShinyHunters is still active as of 2026. Arrests have been made, but the group's structure is decentralized enough that operations continue. They are not going away.
What makes them effective is not technological genius. It is the consistent, patient exploitation of the fact that organizations invest heavily in technical security and comparatively lightly on the human side. Firewalls are important. So is the person who answers the phone when someone calls pretending to be from IT.
The average cost of a data breach can be significant. The cost of MFA, training, and a healthy reporting culture is a fraction of that. Your people are not your weakness. Untrained, unsupported, and unprepared people are. Closing that gap is entirely within reach.
Protecting your business starts with understanding how attacks happen. If you would like to talk about where your organization might have gaps, we are here to help.
More Reading
A Guide to Thwarting Modern Cyber Attacks
SSO is the Backbone of Modern Business Security
How Training Impacts Identity Theft
Take IT Off Your To-Do List.
Tech holding you back? Losing productivity to downtime?
Discover how we can simplify your tech and free up your time, contact us today.
At Net Friends, we believe in the power of human expertise. While we leverage AI to enhance our content and processes, all blog posts are written and edited by our knowledgeable staff. You can trust you are getting insights directly from our team.