In February 2026, the cybercriminal extortion group, ShinyHunters, simultaneously targeted Mercer Advisors, Pathstone Family Office, and Beacon Pointe Advisors. Combined, these three firms manage over $320 billion in assets for thousands of high-net-worth clients. The breach at Mercer alone exposed ~5.7 million records.
This is an active campaign targeting the family office community.
Q1 2026 Breaches
On or around February 16, 2026, ShinyHunters breached Mercer Advisors, a registered investment adviser managing ~$96 billion in client assets. The group extracted ~5.7 million individual records, including client names, full or partial Social Security numbers, and emergency contact details, then issued a 48-hour ransom demand. When Mercer declined to pay, ShinyHunters published the data on the dark web. Two federal class-action lawsuits followed within two weeks.
In the same campaign, ShinyHunters targeted Pathstone Family Office, which manages approximately $170 billion in assets across more than 750 families. The group claimed to have exfiltrated 641,000 records, including legal paperwork, estate planning documents, financial structures, and client contracts. The group gave Pathstone until March 2 to respond. Pathstone did not confirm the breach publicly.
Beacon Pointe Advisors, managing approximately $60 billion, was also targeted in the same period. The firm confirmed the breach affected less than 0.5% of its clients and stated that its security systems contained the scope of the incident.
The February and March 2026 campaign extended well beyond these three firms. Edelman Financial Engines, Hightower Advisors, CW Advisors, EP Wealth, Cetera, and Ameriprise Financial were all targeted in the same wave. In the Ameriprise breach, ShinyHunters claimed 200GB of data including Salesforce PII records and internal SharePoint files.
How Their Attacks Work
An employee receives a call from someone claiming to be from IT. The caller explains that the company is updating MFA settings and asks for the employee’s help. They direct the employee to a page that appears to be the company’s own login portal, often at a convincing domain such as companyname-sso.com, where the employee enters their SSO credentials and live MFA code. The attacker uses both in real time, authenticates into the environment, registers their own device for persistent MFA access, and then works through the connected SaaS stack.
The Mercer class-action lawsuits specifically allege that the firm lacked multi-factor authentication on systems containing millions of sensitive client records. Whether or not MFA was the entry point in that specific case, its absence on systems of this sensitivity is the kind of control gap ShinyHunters is built to exploit. According to Google’s Threat Intelligence Group, these intrusions rely entirely on social engineering to bypass identity controls and pivot into cloud-based SaaS environments. From initial access to complete data exfiltration, the process can take less than one hour.
Targeting the Tools You Use
In the Ameriprise breach, ShinyHunters specifically targeted Salesforce PII records and internal SharePoint data, two platforms in standard use across family offices and operating companies. Once inside a compromised SSO account, the group pivots across the connected software stack: Google Workspace, Microsoft 365, Slack, Atlassian, Snowflake, Dropbox, and Docusign are all confirmed targets in 2025 and 2026 campaigns.
The supply chain exposure adds another layer. In August 2025, ShinyHunters compromised OAuth tokens within the Drift chatbot integration inside Salesloft, gaining access to 760 downstream Salesforce customer environments through a single vendor relationship. A family office using any of the affected platforms, or sharing a vendor with a firm that does, carries indirect exposure even without being a direct target.
Seven Defenses that Work Right Now
Treat any unsolicited MFA change request as suspicious. An incoming call from someone claiming to be IT who needs to update MFA settings is the ShinyHunters entry point. The Mercer lawsuits specifically allege the absence of MFA as a contributing factor. Require visual identity verification on a channel your staff initiates before any account change proceeds.
Move principals and key staff to phishing-resistant MFA. SMS codes and authenticator app codes can be intercepted in real time during a vishing call. Hardware security keys (FIDO2/YubiKey) cannot. For anyone with access to financial systems or client data, this is the standard the Mercer litigation will establish as the baseline expectation.
Audit connected applications. Disable OAuth auto-consent and require administrator approval for third-party app registrations. Remove integrations no longer in active use. The Drift/Salesloft breach reached 760 organizations through a single dormant-feeling integration.
Review your Salesforce configuration. Salesforce PII records were specifically targeted in the Ameriprise breach. ShinyHunters has run a systematic campaign against Salesforce Experience Cloud guest user permissions. If your office or operating company uses Salesforce, a configuration review against Salesforce’s published hardening guidance is a practical near-term step.
Understand your third-party exposure. Ask each vendor with access to your systems what data of yours would be at risk if their environment were compromised. Map those dependencies and prioritize the ones with access to financial, estate, or family data.
Train staff on vishing, not just phishing emails. The specific scenario to train for: a caller claims to be IT, says MFA needs updating, and sends a link. Staff should know that the correct response is to end the call and reach IT on a number they already have, not the one provided in the call.
Establish a clear protocol: no credential or account changes by phone. Apply the same principle used for wire transfer verification to IT access requests. Any request involving credentials, MFA, or account access should have a pre-agreed verification path on a channel the employee initiates.
In our next Intelligence Briefing, we’re discussing the intersection of AI and cybersecurity and introducing our 2026 Family Office AI Survey. Stay tuned.
Our TCF Insights Series, a 3-part discussion of our 2025 Family Office Cybersecurity survey report and findings, continues June 3rd. If you missed Part 1 can watch it here.
Part 2, “The Cyber Thread: Operationalizing Cybersecurity Practices”, will be June 3, 2026, 10:00 PT / 13:00 ET with our guest Tom Aldrich, Chief Operating Officer at 360 Privacy.
Part 3, “The Cybersecurity Lens: Financial Controls”, will be June 17, 2026, 10:00 PT / 13:00 ET with our guest Robert Charles, Chief Finance and Compliance Officer at the Digital Harbor Foundation. Register below!
Start a conversation with us about where your family office stands.
TCF Confidence Checks Talk to us about where your family office is with your cybersecurity program.