Voice phishing and the new normal
ShinyHunters is back in circulation with a familiar pattern: they own a voice-phishing or social engineering vector, nail down employee access credentials, then probe SaaS databases for rich customer metadata. In February 2026 the gang leaked 2.56 GB of Figure data, citing CRM dumps, applicant data, KYC documents, and employee dossiers (AppliedTech, Feb 20, 2026). A long tail of customers — nearly 1 million accounts — were exposed.
Luxury brands pay the price
South Korea’s PIPC slapped Dior, Louis Vuitton, and Tiffany with a combined ₩36 billion (~$25 million) fine after malware/voice-phishing incidents compromised over 5 million individuals. Regulators highlighted weak staff training around external communications and an overreliance on email OTPs, classic enablers of the same ShinyHunters toolkit that worked against Figure and Crunchbase earlier in the year.
Crunchbase, third parties, and the new blueprint
Crunchbase confirmed the gang had extracted 2 million records through voice phishing as well. The data went beyond personal identifiers, including company contracts and internal notes that an attacker could reuse to social-engineer suppliers. These incidents share a blueprint: the attacker starts with a low-profile voice call, gathers credentials or API keys, then escalates to whichever SaaS environment contains the highest density of customers.
Lessons for SOCs and privacy teams
- Treat voice phishing like an active threat vector: log who has access to the CRM admin panel and kick off identity proofing for every suspicious call.
- Demo how ShinyHunters reuses the same data exfil pipeline — once they have CRM access, they harvest all customer metadata, so your telemetry should flag bulk downloads and exports immediately.
- Factor in regulatory fallout: brands are now learning that failing to segment CRM and marketing data results in multi-million-dollar fines, especially when cross-border customers are affected.