One threat actor, multiple Fortune 500s, in roughly two weeks.

ShinyHunters has been the name on every major breach disclosure in May 2026. The headline numbers: 275 million user records exfiltrated from Instructure's Canvas educational platform, 500,000 Salesforce records from Cushman & Wakefield, and intrusions at Medtronic and Itron in the same window.

The unifying pattern is depressingly familiar. Identity-provider compromise → cloud SaaS data theft → public extortion. No zero-day required.

§ 01 The boring fix

If you're responsible for a security program right now, three boring questions:

• Do you have phishing-resistant MFA on your SaaS admins? Not "MFA." Phishing-resistant.
• Do you know which third-party SaaS apps have OAuth scopes over your production data?
• Can you revoke every refresh token in under five minutes if you have to?

If any of those are "I'd need to check," you're not measurably safer than Cushman & Wakefield was three weeks ago.