TL;DR: ShinyHunters bookended the period: confirming roughly six million Carnival passengers, and still widening the ANZ victim list of the Canvas/Instructure breach. Neither relied on an exploit — both turned a person and a SaaS trust boundary into the way in. Days earlier, the Verizon 2026 DBIR put hard numbers behind the mood: vulnerability exploitation is now the No. 1 initial-access vector (31%), overtaking credential abuse (13%) for the first time in nineteen years — yet credentials still appear in 39% of breaches once you trace the full attack path. The takeaway for defenders isn't “patch faster” or “fix identity.” It's both, in order: exploitation gets attackers through the door; standing credentials and tokens decide the blast radius.
ShinyHunters bookended the period; Qilin and DragonForce took the ANZ mid-market
Carnival — roughly six million passengers. Names, addresses, dates of birth, phone numbers, driver's licence and passport numbers, claimed by ShinyHunters. Flow: vishing (IT impersonation) → employee SSO credentials + MFA → limited IT-environment access → exfiltration. The intrusion dates to 14 April; the six-million notification landed 27–28 May, a Maine AG filing putting the figure at 5,995,277.
Canvas / Instructure — roughly 275 million students, teachers and staff across 8,809 institutions; 3.65 TB of names, emails, student IDs and private messages, by the same crew. Cause (as reported): the Free-For-Teacher program allowed account creation with no institutional verification → eroded tenant isolation in a logically-isolated multi-tenant SaaS → stored XSS / privilege escalation → service-token exposure → bulk extraction. The breach broke in early May; the in-window story is the ANZ radius still widening through late May — Melbourne, Sydney, UTS, RMIT, Griffith, Adelaide, Newcastle, Flinders, Canberra and QUT; Auckland, AUT and Victoria (NZ); Queensland's QLearn; the NSW, WA and Victorian education departments; and TasTAFE.
Kennedy McLaughlin — a Brisbane accounting firm. Client financial and banking records published by the Qilin RaaS affiliate; ACSC and OAIC notified. Mechanics unknown — the Qilin affiliate pattern is stolen or purchased credentials, or a FortiGate SSL-VPN foothold → RDP lateral movement → double extortion.
QLS Group — an Australian appliance distributor holding a large share of the AU TV market by volume. ~554 GB claimed by DragonForce — contracts, confidential documentation, an internal incident report. Mechanics unknown — the DragonForce affiliate pattern is SSO-mimicking phishing → credential harvest, or an RDP/VPN / RMM flaw → exfiltration and encryption.
The through-line: not one used an exploit to get in. A phished employee, an unverified-account loophole and reused credentials did the work — which is exactly why the threat-intel picture below matters.
No patch window, only prioritisation. Verizon's DBIR 2026 makes it official — vulnerability exploitation has overtaken credential theft as the No. 1 initial-access vector — and the fortnight's CVE flow proves it. Actively exploited: Microsoft Defender zero-days, a SharePoint Server RCE, a Drupal core SQL injection (CISA KEV), a Trend Micro Apex One zero-day, a max-severity Cisco Secure Workload flaw, the LiteSpeed cPanel plugin, a Palo Alto PAN-OS / Prisma auth bypass (CVE-2026-0257), Ivanti EPMM (CVE-2026-6973, plus automated 1281/1340), Fortinet FortiClient EMS (CVE-2026-35616, with an infostealer disguised as a Fortinet update) and on-prem Exchange (CVE-2026-42897). The client side wasn't spared — a zero-click Chrome WebRTC use-after-free (CVE-2026-9111). Every one is deployed at scale across ANZ government, health and higher ed: no clean maintenance window, only a ranked list.
Identity stays the cheapest way in. ASD's device-code phishing advisory anchors a cluster — the FBI's Kali365 PhaaS warning, AUSCERT's PhaaS roundtable, MFA prompt-bombing analysis, and the SonicWall MFA bypass. Vendors are now retiring SMS at both ends of the privilege spectrum: Microsoft for personal accounts, and Zscaler for administrator MFA in ZIdentity (per Zscaler's own roadmap). Carnival and Canvas both started here.
The software supply chain stays hostile. TrapDoor across npm, PyPI and crates.io; trojanised Laravel-Lang packages; Megalodon poisoning 5,561 GitHub repositories with malicious CI/CD; a mini Shai-Hulud wiper in a Microsoft Azure PyPI package; Grafana breached via an unrotated TanStack token; npm's belated 2FA-gated publishing; the GitHub/TeamPCP repo theft; and, this weekend, an unpatched critical Gogs zero-day flagged by Rapid7.
State-aligned espionage broadens. Salt Typhoon extends to Linux and Windows variants against telcos; Lazarus deploys a memory-only RAT at financial and crypto firms; Webworm uses MS Graph and Discord for command-and-control; Iran's potential internet reconnection would restore APT tempo. ESET's APT Activity Report frames the field: Sednit against Ukrainian drone-makers, Sandworm's winter wipers, Tonto Team pivoting onto Russia.