Abbott confirms Exact Sciences hit; LabCentral disputed
ShinyHunters used vishing to hit legacy Exact Sciences systems in Abbott's Cancer Diagnostics business; a separate LabCentral extortion claim by ShadowByt3$ is disputed.
Confirmed: Abbott Laboratories has disclosed unauthorized access to legacy Exact Sciences systems inside its Cancer Diagnostics business, and is separately investigating a claim of a LabCentral customer-portal breach in its Core Laboratory unit. Two incidents, two different extortion posts, one week. Confidence on the Cancer Diagnostics intrusion: confirmed by Abbott. Confidence on the LabCentral claim: disputed by Abbott, unresolved.
The confirmed one — Exact Sciences via vishing
Per Abbott’s statement to BleepingComputer, the intrusion touched internal legacy Exact Sciences systems in the Cancer Diagnostics business. Abbott says it “does not impact any business operations, product or product availability” and that no material financial impact is expected. Confidence on that framing: as-stated by Abbott.
The extortion side: the data-theft group ShinyHunters claims responsibility. Mechanics as posted on the crew’s leak channel and summarized by BleepingComputer:
- Vishing — employees called and social-engineered into surrendering credentials or approving MFA prompts.
- Access path — the compromised credentials/prompts were used against Microsoft Entra SSO, landing session tokens with reach into internal SaaS.
- Reach after landing — the crew names Microsoft Entra, ServiceNow, SharePoint, Databricks, and Coupa as staging points from which data was pulled.
- Timeline — the operator claims mid-June access; the extortion post surfaced this week with an initial July 18 deadline, since extended to July 21.
Volumes claimed by ShinyHunters — treat as the operator’s numbers, not Abbott’s:
- 30M+ customer PII rows (names, emails, phone, addresses, DOBs), including 1M+ Social Security numbers.
- 22M+ doctor-patient conversation notes.
- 20M+ medical orders.
- Internal documents, contracts, and customer records exfiltrated from the SaaS estate above.
Confidence on the volume: operator’s claim, unconfirmed. Abbott has not counted the exposure publicly. The pattern — vishing → Entra SSO → downstream SaaS — is the same one we covered on Microsoft’s ShinyHunters / Salesforce OAuth writeup last week, on the Pink-O / UNC-066 Entra passkey-vishing chain earlier this month, and on the Odido / Dutch-speaker ShinyHunters vishing arrests reported by the Politie on July 10. Same crew, same access technique, different victim.
The disputed one — LabCentral
A separate operator using the handle ShadowByt3$ posted a claim against LabCentral, the customer portal used by Abbott’s Core Laboratory business. Method as claimed:
- Compromised customer credentials — not employee credentials.
- Portal API endpoints — abused with the customer-tier session rather than internal SSO.
- Alleged exfiltration — manufacturing certificates, product manuals, technical specifications, regulatory documents, product-requirement archives, and assay files.
Abbott’s response: acknowledged as a potential incident, but publicly disputed the characterization, stating the LabCentral portal contains “publicly available technical product reference documents.” Confidence: disputed — Abbott says the material was already public; the extortion post says otherwise. Neither position has been independently corroborated at time of writing.
Notably, this is a second, unrelated actor posting against a second Abbott property in the same week — not a rebrand, not the same operator claiming two properties. Two independent brands filing extortion claims against the same target inside a seven-day window is worth flagging on its own, whether or not either side of the second claim survives scrutiny.
What Abbott has said
- Both incidents: incident response activated, external cybersecurity experts engaged, law enforcement notified.
- Exact Sciences intrusion: confirmed; no impact on operations, product, or availability; no material financial impact expected.
- LabCentral claim: acknowledged as under investigation; characterization disputed on the grounds that the affected portal houses publicly available reference documents.
- SEC 8-K: not filed as of this writing. Confidence: unfiled, not “will not file” — that reads as ongoing rather than declined.
What is not confirmed
- Total records exposed. ShinyHunters’ 30M+ / 22M+ / 20M+ figures are the operator’s numbers. Abbott has not counted, and neither NVD, CISA, nor any independent researcher has validated the file counts. Unconfirmed.
- Whether SSN and PHI exposure will trigger HIPAA-covered notifications. Not stated by Abbott; volume claim implies scale but Abbott has not confirmed protected health information is in scope. Unstated.
- Whether the two extortion posts are coordinated. The handles are different (ShinyHunters and ShadowByt3$), the methods are different (employee vishing → Entra vs. customer credentials → portal API), and Abbott treats them as separate investigations. Nothing in the current record links them. Independent, per the current evidence.
- The extended deadline. ShinyHunters moved the extortion clock from July 18 to July 21. Whether that is a real negotiation window or just leak-post cadence: operator’s claim, treat accordingly.
What survives the noise
Two things worth carrying forward:
- The vishing-to-Entra chain is now the default access path for this crew. Fourth confirmed victim in three weeks. If your Entra tenant permits voice-approved MFA push, the passkey-default rollout coming to Entra in September is not “eventually” — it is the mitigation for the technique currently emptying enterprise SaaS estates. Bring it forward where you can.
- Customer-facing portals with API endpoints are their own attack surface, separate from the corporate SSO story. The LabCentral claim, however it resolves, is a reminder that portal-tier credentials get compromised and reused in ways that never touch Entra or any internal identity system. Session-lifetime, rate-limits, and per-account exfiltration alerting on portal APIs are worth an audit if you have not looked in a while.
Sources
- Abbott statement, via BleepingComputer: Abbott Laboratories probes two cyber incidents amid extortion claims — July 17, 2026.
Confidence, consolidated: Cancer Diagnostics / Exact Sciences intrusion — confirmed by Abbott. LabCentral claim — disputed by Abbott, unresolved. ShinyHunters volume figures — operator’s claim, not independently verified. Treat accordingly.
Found this useful? Share it.


