Vulnerability Exploitation Now Beats Stolen Credentials as Top Breach Entry Point — and ShinyHunters Hit 6 Million Carnival Customers

Vulnerability Exploitation Surpasses Stolen Credentials for the First Time

Verizon's 2026 Data Breach Investigations Report contains a statistic that should reframe every organization's security priorities: for the first time in 19 years, exploiting software vulnerabilities has surpassed stolen credentials as the number one breach entry point. This is not a marginal shift — it represents a fundamental change in how attackers are gaining initial access to enterprise networks.

The shift reflects two converging trends: AI-powered vulnerability scanning that compresses exploitation timelines from months to hours, and a persistent failure by organizations to apply patches on the timescales that matter. Ivanti, Fortinet, SAP, VMware, and n8n all rolled out critical patches for actively exploited flaws in May 2026. Two unpatched Windows zero-days — "YellowKey" and "GreenPlasma" — were exposed after Microsoft's May Patch Tuesday, capable of bypassing BitLocker recovery and granting administrative privileges on unpatched systems.

ShinyHunters Is Having a Catastrophic May

The ShinyHunters extortion group has been behind two of the most significant breaches disclosed in May 2026. The first: Carnival Corporation began notifying approximately 6 million people whose personal data — names, addresses, email addresses, phone numbers, dates of birth, and government-issued ID numbers — was accessed after ShinyHunters used social engineering to compromise an employee and gain access to part of Carnival's IT systems.

The second is potentially larger in scale. Instructure Inc., the company behind the Canvas learning management system used by universities and K-12 schools across the US, was targeted by a ransomware attack in which ShinyHunters threatened to leak data tied to as many as 275 million users. Canvas is used by over 30 million students and instructors globally. If the claimed data volume is accurate, this would be one of the largest education sector breaches on record.

Both breaches share a common initial vector: social engineering against employees, not technical exploitation of software flaws. This matters because it means perimeter security hardening — patching, firewalling, network segmentation — does not protect against an attacker who convinces a legitimate employee to hand over credentials.

The Foxconn and ADT Incidents: Supply Chain and Identity Attacks

Foxconn's North American factories suffered a ransomware attack in May by the Nitrogen group, which claimed to have exfiltrated 8TB of data. Manufacturing environments are increasingly targeted because they often run older OT (operational technology) systems with poor network segmentation from corporate IT, creating easy lateral movement paths once an attacker gains a foothold.

ADT faced scrutiny after the ShinyHunters group claimed to have stolen personal information of 5.5 million ADT customers — accessed via a voice phishing (vishing) campaign that compromised an employee's Okta single sign-on account. The Okta vector is significant: SSO systems are high-value targets because a single compromised account can provide access to dozens of connected applications. The ADT incident illustrates why vishing — phone-based social engineering — remains underappreciated as an attack vector despite being simple and effective.

AI-Built Applications Are a New Attack Surface

A WIRED investigation published in May 2026 found thousands of web applications built using AI coding tools that had been left publicly accessible, sometimes exposing sensitive corporate and personal data. The pattern: developers use AI assistants to rapidly prototype and deploy applications, but skip security review steps — authentication, authorization, input validation — that would be caught in a formal development process.

This is a structural problem, not a one-off. AI coding tools lower the skill threshold for building functional applications, but they do not automatically lower the skill threshold for building secure applications. A developer who does not know to implement authentication cannot be protected by an AI tool that does not know they need it. Organizations need to extend their security review processes to include AI-generated code with the same rigor applied to human-written code.

The CISA Credential Exposure: When Security Teams Are the Vulnerability

One of May's more alarming incidents came from inside the house: a contractor for CISA — the US Cybersecurity and Infrastructure Security Agency — publicly exposed administrative credentials on a public GitHub repository for six months. The exposure included plaintext usernames, passwords for internal systems, and SSH keys.

This incident is worth dwelling on because CISA is specifically the agency responsible for coordinating the national response to cyber incidents. The exposure illustrates a problem that affects organizations at every level: secrets management discipline. Credentials committed to version control are one of the most common and preventable breach vectors. Tools like GitHub's secret scanning, HashiCorp Vault, and AWS Secrets Manager exist precisely to prevent this class of error. The failure here was not technical — it was process.

Ransomware-as-a-Service: Triple Extortion Is Now Standard

The Krybit group's attack on the Bangkok Metropolitan Administration and the Nitrogen group's Foxconn attack both follow what security researchers now call triple extortion: encrypt files for ransom, exfiltrate data to threaten a second leak ransom, and threaten to notify customers and regulators as a third pressure point. This model makes ransomware economically resilient — even organizations with good backups face the data leak threat independently of whether they can restore operations.

The FBI's May 2026 FLASH alert about the Silent Ransom Group (SRG) adds a dimension that most organizations have not prepared for: physical operatives. After initial phishing attempts fail, SRG has escalated to sending physical representatives to target locations — essentially a hybrid cyber-physical social engineering campaign. This is a significant threat escalation that requires organizations to think beyond purely digital security controls.

Five Practical Steps for May 2026

1. Patch the Windows zero-days immediately. YellowKey and GreenPlasma can bypass BitLocker. Any unpatched system is exposed to privilege escalation by anyone with physical or remote access.

2. Audit your Okta (and other SSO) access. The ADT vishing attack succeeded because one compromised SSO account opened many doors. Implement phishing-resistant MFA (FIDO2/passkeys) for all SSO access. SMS OTP is not sufficient.

3. Run a secrets scan across all repositories. Use GitHub Advanced Security or an equivalent tool to identify any credentials or keys committed to version control. Rotate everything found immediately, treat any exposure as compromised.

4. Review AI-generated code for security controls. If your team is using Copilot, Cursor, or similar tools to write application code, add an explicit security review gate before deployment. Check for authentication, authorization, input validation, and data exposure in every AI-generated component.

5. Train employees on vishing, not just phishing. The Carnival and ADT attacks were voice-based social engineering. Your employees need to know how to verify identity over the phone and when to escalate unusual requests, regardless of how legitimate the caller sounds.