If there is one theme that has defined the biggest breaches of 2026 so far, it isn’t a novel exploit. It’s identity.
A sustained wave of SaaS and CRM extortion activity through May and June 2026, widely attributed to actors operating in the ShinyHunters ecosystem, hit platforms including Salesforce and Microsoft 365 tenancies, not through a technical intrusion, but through a phished single sign-on token, a talked-out help-desk reset, or access quietly inherited through a third-party vendor.
Separately, KDDI and five other Japanese ISPs (STNet, JCOM, Chubu Telecommunications, and BIGLOBE among them) disclosed on 17 June 2026 that a vulnerability in third-party software had exposed a database affecting up to 14.22 million current and former customer accounts.
Several high-profile ransomware and extortion incidents through Q2 2026 have traced back to a single compromised account or integration rather than a software flaw.
The common denominator: for a period of time, the attacker looked like a legitimate user.
In MITRE ATT&CK terms, this is Valid Accounts (T1078) at scale, credential theft and abuse rather than exploitation, and it is precisely the technique class that signature- and vulnerability-focused tooling is weakest against. Catching it requires the right logs, retained for long enough, correlated well enough to notice.