According to recent reporting by The Register, the ShinyHunters group has been linked to a new breach involving CarGurus. The details are consistent with a pattern that security teams have been tracking for over a year. No exploit. No malware. No zero-day. The attacker authenticated.
That distinction matters. It defines the entire problem — and the only category of solution that resolves it.
The Attack Surface Is Identity
Credential-based intrusion is not an emerging trend. It is the established method. Attackers use stolen credentials, social engineering, real-time phishing, and session hijacking because those techniques work reliably against legacy authentication.
Groups like ShinyHunters do not require zero-day vulnerabilities. They exploit authentication. The fastest path into an enterprise today is a convincing login — not a technical breach.
Legacy MFA does not change that calculus.
SMS codes are intercept-able. Push notifications are subject to fatigue attacks. Authenticator app codes can be relayed in real time. The attack surface is not the perimeter. It is identity.
Why This Attack Works
Modern phishing infrastructure has become fully automated. With generative AI, attackers produce pixel-accurate login replicas in seconds. The victim submits credentials. The attacker relays the session to the legitimate site. The site requests MFA. The victim approves. Access is granted.
The human approval step is the vulnerability. As long as an authentication system requires a person to judge whether a prompt is legitimate, it can be defeated by an attacker who controls what that person sees.
This technique scales because the underlying architecture permits it.
What Cryptographic Identity Assurance Does Differently
Token’s Biometric Assured Identity platform eliminates the conditions this attack depends on.
Every credential is cryptographically bound to the specific domain it was registered with. When a ShinyHunters phishing page requests authentication, the Token device does not respond. The origin does not match. The signature is never created. There is no code to relay, no push notification to approve, and no shared secret to steal.
Authentication additionally requires a live biometric match stored in secure hardware and physical proximity to the device being accessed. The authorized individual must be present — not just their credentials.
An attacker holding valid credentials gains nothing. An attacker who has induced a user to click a malicious link gains nothing. An attacker who has compromised a cloud account gains nothing.
That is what phishing-resistant architecture looks like in practice.
ShinyHunters Is Not the Anomaly
ShinyHunters is one group executing one variant of a universal attack pattern. As long as enterprises rely on passwords, SMS codes, push-based MFA, or app-generated OTPs, this cycle continues. Detection improves. Response accelerates. But attackers authenticate.
The durable resolution requires removing the human approval step entirely and binding authentication to biometric identity, hardware, physical proximity, and domain-level cryptography.
If an authentication method can be phished, it will be phished. If it can be relayed, it will be relayed. If it places the judgment burden on the user, it will eventually fail.
ShinyHunters did not break in. They logged in. Token Assured Identity closes that door. Not with more factors. With absolute certainty.
