Multiple U.S. consumer brands confirmed incidents after a social‑engineering campaign attributed to the ShinyHunters actor compromised contractor and single‑sign‑on credentials. Companies said user account credentials and financial data were not believed to be accessed, though investigators warned of follow‑on scams and extortion risks.

Security firms and affected companies reported a coordinated social‑engineering campaign, widely attributed to the ShinyHunters actor, that used phishing and vishing techniques to compromise contractor and SSO credentials and expose limited internal data at several U.S. consumer brands. Confirmed victims included dating platform companies under Match Group and Bumble, restaurant chain Panera Bread, and data platform CrunchBase. Company statements emphasized that there was no indication that customer passwords or payment card data were accessed, and that immediate containment and remediation steps were taken, including resetting credentials, engaging forensic investigators and notifying potentially impacted partners. Industry analysts warned that exposed contractor access can enable follow‑on scams, extortion attempts and targeted social‑engineering of customers or employees, and urged stronger vendor security, multi‑factor authentication and monitoring. Regulators and cybersecurity firms tracking the activity highlighted the persistent risk from human‑targeted attacks and called for improved supplier security practices and rapid incident response to limit downstream harm to users and business operations.