Ryan Dodd

14 Months of Warning: What Preemptive Threat Intelligence Reveals about the ShinyHunters Supply Chain Breaches

What are supply chain attacks?

When a cyberattack hits a single company, the blast radius is containable. When it hits a vendor trusted by a supply chain of hundreds or thousands of organizations, the consequences are a different order of magnitude entirely.

That is exactly what happened when ShinyHunters, one of the most prolific cybercriminal groups operating today, turned their attention to the SaaS ecosystem in 2025 and 2026. And as with so many high-profile breaches before them, the warning signs were visible long before the headlines arrived.

A Single Attacker, Two Targets, Hundreds of Victims

In August 2025, stolen access credentials were used to extract data from more than 760 of Salesloft’s customer companies, including Cloudflare, Palo Alto Networks, Qantas, and Allianz Life, in a single 10-day window. Salesloft’s Drift chat subsidiary was used as the entry point.

Around the same time, Instructure, the company behind Canvas, the learning management platform used by a significant proportion of higher education institutions globally, was compromised by the same group. The attack ultimately affected roughly 9,000 educational institutions and 275 million users, and the same attackers returned for a second campaign eight months later.

These were not two unrelated incidents that happened to occur close together. They were parallel campaigns run by the same threat actor, against multiple software vendors, at the same time. The insurance and reinsurance industry now has a formal name for this pattern: a Multi-Client Targeted Attack (MCTA) This is a category of breach defined by a shared vendor or supplier as the common thread linking a large number of simultaneous victims. The term was formalized in 2026 by an industry working group including Munich Re, Moody’s, AXIS, and Gallagher Re.

The Signals Were There Over a Year in Advance

The public learned about both breaches in September 2025. But attacker activity targeting both Salesloft and Instructure was visible on the dark web far earlier than that.

Searchlight Cyber’s Intangic and DarkIQ platforms, which monitor dark web infrastructure for signals of attacker behavior targeting named companies, showed elevated activity for both Salesloft and Instructure in the first week of May 2024. Activity peaked across both targets in June and July 2024. That is approximately 14 months before either breach was publicly disclosed.

Crucially, both companies lit up in the same week and peaked in the same month. That temporal alignment is not coincidental, it is the fingerprint of a coordinated campaign. A defender watching the dark web would not just have seen risk at a single vendor, but the signature of a threat actor moving across multiple targets simultaneously.

  Salesloft Instructure
When our platform flagged elevated attacker activity First week of May 2024 First week of May 2024
When attacker activity peaked on our platform June–July 2024 June–July 2024
When the breach became public September 2025 September 2025 (first breach) / May 2026 (second breach)
Advance warning ~14 months ~14 months (first), ~24 months (second)

What Advanced Warning Looks Like

Traditional cyber risk tools show either what is happening inside a network, or what has already been published. By the time those tools fire an alert, the damage is often done.
Dark web monitoring operates differently. Rather than waiting for a breach to be detected, it watches the external activity that precedes and accompanies an attack: the reconnaissance, the credential trading, the traffic flowing to and from anonymous infrastructure. Specifically, the signals that matter include:

  • Inbound attacker activity: anonymous connections probing a company’s external infrastructure for weaknesses
  • Outbound exfiltration signals: traffic leaving a company’s network toward the same anonymous services attackers use
  • Credential theft and trading: stolen access credentials appearing in dark web markets, traded to provide initial access to a victim organization
  • Threat actor discussion: chatter in forums and private channels which can indicate targeting and active campaigns

When several of these signals activate for the same organization within a short window, the statistical risk of a material breach in the following 90 days rises sharply. When they activate for multiple connected organisations at once, you are looking at something more organized: a supply chain attack in preparation.

Why Supply Chain Risk Is Different

Most security programs are built around a single perimeter: your network, your assets, your credentials. Supply chain risk breaks that model. The focus moves away from simply whether your organization is secure, to assessing whether every vendor you depend on is secure, and if one of them is compromised, how exposed you are.

The Salesloft and Instructure incidents illustrate the scale of what that exposure can look like. Hundreds of organizations, many of them sophisticated enterprises with mature security postures, were caught by a breach they had no direct visibility into, because the entry point was a trusted third party. The attacker did not need to breach each victim individually. Breaching the vendor was enough.

This is increasingly how large-scale cyber campaigns operate. A single vulnerability in a widely-used SaaS platform, a single set of stolen credentials for a cloud provider, a single compromise of a software update mechanism. Any of these can become the entry point for a cascading event that affects an entire ecosystem of downstream customers simultaneously.

Seeing the Supply Chain, Not Just the Perimeter

Understanding whether your vendors are being actively targeted, before any breach is confirmed, requires visibility into the dark web activity surrounding them. That means monitoring not just your own external attack surface, but the signals accumulating around the suppliers, platforms, and partners that sit inside your trusted ecosystem.

Security teams with access to dark web intelligence in May 2024 would have seen elevated attacker interest in both platforms over a year before public disclosure, with enough time to review third-party access, audit authentication configurations, prepare contingency plans, and engage vendors directly.

For those in the insurance industry, if your customers had had even one of Salesloft’s 760 affected customers, or one of the institutions that depended on Canvas in its portfolio, the public disclosure would have caught them by surprise. Operations disrupted. Data exposed. Litigation risk. Possible LP reporting obligations. Valuation impact on a planned exit.

With this visibility, however, your clients’ portfolio team would have known months in advance that something was happening at Salesloft and Instructure. They would have had time to:

  • Ask portfolio companies whether they depend on those vendors
  • Map the concentration risk across the portfolio
  • Engage management teams to harden their authentication and access controls
  • Prepare LP communications proactively rather than reactively
  • Factor the risk into deal timing, valuation, and exit planning

Insurers and reinsurers are already responding. The formal classification of Multi-Client Targeted Attacks as a distinct risk category reflects growing concern in the insurance market about correlated losses that existing risk models were not built to price.

Companies with the highest levels of dark web activity targeting their organization are approximately eight times more likely to suffer a material breach than low-risk peers in the following 90 days. This was a core finding from our 2026 study of approximately 6,000 publicly listed companies conducted with DePaul University’s Arditti Center for Risk Management. For the insurance industry, that kind of predictive signal represents a fundamental shift in how cyber risk can be assessed. For security teams and CISOs, it represents something equally valuable: the ability to act on risk before it becomes a headline.

The warning signs of the ShinyHunters attacks were there. The question is whether you’ll be able to see them coming ahead of the next major supply chain incident.

True Preemptive Threat Exposure Management requires knowing what attackers are targeting. If you want to understand what’s currently visible about your organization in the spaces where threat actors operate, request your FREE DARK WEB RISK REPORT or GET IN TOUCH.

Related Content

Post

Three Days to Patch: What CISA’s New Directive Says About the Pace of Modern Exploitation

Government News Preemptive Threat Exposure Management
Read
Post

June 17th – This Week’s Top Cybersecurity and Dark Web Stories

News
Read
Post

Targeting Illicit Crypto Flows: Searchlight Cyber Supports Law Enforcement Takedown of AudiA6 Crypto-Mixer

News
Read
Attack Surface Management FAQ: Expert Answers to Common Security Questions
Post

Attack Surface Management FAQ: Expert Answers to Common Security Questions

ASM
Read
Post

June 10th – This Week’s Top Cybersecurity and Dark Web Stories

News
Read
Preemptive Threat Exposure Management in the Age of AI
Post

Preemptive Threat Exposure Management in the Age of AI

AI
Read
Now, every asset in your inventory comes with a clear chain of ownership – so your team can stop investigating where an asset came from and start acting on what to do about it.
Post

Unknown assets explained with Asset Attribution Visualization

Product Updates
Read
Post

June 3rd – This Week’s Top Cybersecurity and Dark Web Stories

News
Read
What Is Continuous Attack Surface Management and Why Does It Matter?
Post

What Is Continuous Attack Surface Management and How Does It Protect Your Business?

ASM
Read