Four Breaches in Six Weeks. One Extortion Group. Your Portfolio Is the Target List.

In early 2026 the easiest way to understand the threat landscape was to keep a list. Not of vulnerabilities. Of victims.

In April, Adobe disclosed a breach of roughly 13 million customer records. Around the same window, Match Group, the company behind Tinder and Hinge, was hit through a third-party analytics provider. In May, Instructure, the company that runs Canvas, was breached twice, exposing 275 million students and staff days before finals week. In June, the dental benefits administrator DentaQuest had 234 gigabytes and the records of 2.6 million Medicaid members published after it declined to pay.

Four companies. Three industries. Six weeks. One name kept appearing in the reporting: ShinyHunters.

This is the part most coverage gets wrong. Each breach was written up as its own story, with its own headline and its own corporate statement about an isolated incident. Read individually, they look like bad luck spread across unrelated firms. Read as a list, they look like what they are: a single extortion group methodically working through a target list, and the targets share a profile.

ShinyHunters is not new. The same group has been credibly tied to Ticketmaster (roughly 560 million records in 2024), AT&T (109 million records in 2024), and Santander. What changed in 2026 is the tempo and the discipline. This is no longer opportunistic smash-and-grab. It is a campaign with a business model.

And the business model has a customer segment. That segment is the mid-market: companies large enough to hold millions of valuable records, but not large enough to defend them like a tier-one bank. Companies that, more often than not, are owned by a financial sponsor.

The playbook: they didn't break in. They logged in.

The single most important fact about the 2026 campaign is the one that sounds least dramatic. In almost every confirmed case, the attacker did not defeat a firewall or burn a zero-day. They authenticated. They arrived through a legitimate front door using legitimate credentials, because someone handed those credentials over.

The mechanics repeat across the victim list:

1. Help-desk social engineering. An attacker calls support, impersonates an employee, and talks an agent into resetting a password or MFA enrollment. The same technique that took down MGM and Caesars in 2023 still works in 2026 because it targets people, not patches.
2. OAuth and session-token theft. Rather than steal a password and trip a login alert, attackers steal an already-authenticated token. This is how Russia harvested more than 18,000 Microsoft 365 tokens without deploying any malware, and it is how data walks out of SaaS platforms the victim believed were locked down. See our explainer on credential harvesting.
3. Trusted third-party connections. Match Group was reached through an analytics vendor. The 2024 Snowflake campaign hit dozens of companies through a single inherited weakness. The breach is not always in the company. It is often in something the company trusted. This is the entire premise of third-party risk management.
4. Pay or leak. Once the data is out, the extortion is not about decryption. There is nothing to decrypt. The leverage is publication. DentaQuest declined to pay; ShinyHunters published 234 GB. The threat is the disclosure itself, and it lands whether or not the victim ever restores a single system.

What every one of these companies should have done

None of the defenses here are exotic. They are the unglamorous controls that get deferred because they do not show up in a product demo.

1. Phishing-resistant MFA on every account, with no help-desk override path that a phone call can defeat.
2. An inventory of every OAuth grant and third-party integration touching production data, reviewed quarterly, not annually.
3. Vendor contracts that require breach notification in hours, not the weeks most administrators actually take.
4. Tested detection for token abuse and anomalous data egress, because the login looked legitimate and only the behavior afterward was not.
5. A compromise assessment on any newly acquired company before its systems are connected to anything that matters.

Why this is a private equity problem, specifically

Read the victim profile back slowly. Large volume of personal data. Operates a SaaS or data-aggregation platform. Security maturity above a small business but well below a major bank. Often dependent on a handful of third-party vendors and an MSP. That is not a description of an unlucky company. That is a description of the median portfolio company in a mid-market fund.

The financial consequence does not stop at the breached entity. For a healthcare data administrator like DentaQuest, a single breach can trigger an HHS Office for Civil Rights investigation, state attorney general attention, and class-action filings, all of which flow from the data being published, independent of whether operations were ever disrupted. For a sponsor, that is a direct hit to a portfolio company's enterprise value, its insurability, and its eventual exit multiple.

The questions a board and a deal team should be asking are not technical. They are governance questions:

• Do we know, today, which of our portfolio companies match the ShinyHunters target profile? (Most of them.)
• For each one, can the help desk be talked out of a credential, or is MFA truly phishing-resistant?
• Do we have an inventory of third-party data connections at every portfolio company, or are we inheriting unknown exposure with every add-on acquisition?
• If a portfolio company were named on a leak site tomorrow, who makes the pay-or-don't-pay decision, and have they ever rehearsed it?

This is the work of cyber due diligence done properly, and of vendor risk management treated as an investment-protection function rather than a compliance checkbox. The companies on the 2026 list did not lack security budgets. They lacked the specific controls that stop an attacker who logs in. ShinyHunters has shown, four times in six weeks, that it knows exactly which companies those are.