Abbott Laboratories Investigates Two Separate Cybersecurity Incidents, Including Alleged Data Theft by Extortion Gang

Abbott Laboratories is currently investigating two distinct cybersecurity incidents that have raised significant concerns within the healthcare technology sector. The first incident involves unauthorized access to internal legacy systems within its Cancer Diagnostics business, specifically those acquired through Exact Sciences. This breach was brought to light after the notorious ShinyHunters extortion gang added Abbott to its data leak site, initially threatening to release allegedly stolen data by July 18, a deadline later extended to July 21. Concurrently, Abbott is also scrutinizing a separate claim by a threat actor known as ShadowByt3$ that they compromised its LabCentral customer portal and exfiltrated company data.
The ShinyHunters Threat and Abbott’s Response
The engagement with the ShinyHunters extortion gang marks a concerning development for Abbott. The gang’s modus operandi typically involves gaining access to corporate systems, exfiltrating sensitive data, and then demanding a ransom for its non-disclosure or return. In this instance, ShinyHunters has publicly claimed responsibility for compromising internal systems within Abbott’s Cancer Diagnostics division.
Abbott, upon being contacted by BleepingComputer regarding the alleged ShinyHunters incident, directed inquiries to an official statement published on its corporate website. In this statement, the company confirmed the cybersecurity event, stating, "Abbott is investigating a cyber incident in which there was unauthorized access to a limited number of internal systems in our Cancer Diagnostics business only."
Crucially, Abbott has sought to reassure stakeholders by emphasizing the limited scope and impact of this particular breach. The company explicitly stated that the incident "does not impact any business operations, product or product availability, manufacturing or lab operations, or our ability to serve patients." Furthermore, Abbott clarified that the affected legacy Exact Sciences systems are distinct and separate from its broader Abbott infrastructure, assuring that no other Abbott businesses or systems have been compromised.
Following the discovery of the incident, Abbott reported that it promptly activated its established incident response protocols. This proactive measure included engaging external cybersecurity experts to assist in the investigation and analysis, as well as notifying relevant law enforcement agencies. The company has also indicated that it does not anticipate a material impact on its overall business or financial performance as a result of this security event.

Modus Operandi of ShinyHunters and Broader Implications
ShinyHunters has claimed to BleepingComputer that its initial access to Abbott’s systems was facilitated through a vishing (voice phishing) attack targeting several Abbott employees in mid-June. According to the threat actor, this attack successfully compromised a Microsoft Entra single sign-on (SSO) account, which then served as a gateway to internal corporate systems.
This alleged method of entry aligns with ShinyHunters’ known tactics. The group has been actively engaged in social engineering campaigns targeting employees’ cloud-based authentication credentials, specifically focusing on Microsoft Entra, Okta, and Google SSO accounts since at least last year. Once an SSO account is compromised, threat actors can leverage it to gain access to a wide array of connected Software as a Service (SaaS) applications, including prominent platforms like Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, and Dropbox.
The healthcare and medical technology sectors have become increasingly attractive targets for extortion gangs like ShinyHunters. Abbott is not an isolated case; the group has previously claimed responsibility for data breaches affecting other prominent medtech companies, including Medtronic, OneMedical, and AdaptHealth. Furthermore, BleepingComputer has identified ShinyHunters as the perpetrator behind the iRhythm data breach and has also linked them to an attack on Stryker shortly after the company recovered from a destructive data-wiping incident attributed to an Iranian state-sponsored actor.
Regarding the specific data allegedly stolen from Abbott, ShinyHunters has made substantial claims. The group alleges that it exfiltrated data from Microsoft Entra, ServiceNow, SharePoint, Databricks, and Coupa. This purportedly includes a range of internal documents, contractual agreements, and customer information. Most alarmingly, ShinyHunters claims to have stolen over 30 million rows of personally identifiable information (PII) from multiple datasets, encompassing names, email addresses, phone numbers, physical addresses, dates of birth, and critically, over one million Social Security numbers. The threat actor also asserted the theft of more than 22 million client notes containing doctor-patient conversations, over 20 million medical orders, and various customer agreements and non-disclosure agreements (NDAs). It is important to note that BleepingComputer has not independently verified the veracity of these specific data theft claims made by the threat actor.
The LabCentral Incident: A Separate Allegation
In parallel to the ShinyHunters investigation, Abbott is also addressing allegations of a separate breach concerning its Core Laboratory diagnostics business. A threat actor operating under the alias ShadowByt3$ has contacted BleepingComputer, asserting that they successfully breached this division through Abbott’s LabCentral customer portal.
ShadowByt3$ claims to have exploited a "weak point" within the LabCentral environment, utilizing compromised customer credentials. According to the threat actor, this intrusion occurred on July 4, 2026. They further allege that they systematically exfiltrated files by targeting API endpoints over a period of time.

The nature of the data claimed to be stolen by ShadowByt3$ differs from the ShinyHunters allegations. The group states that it obtained CE manufacturing certificates, operation manuals, technical specifications, regulatory documentation, product requirement archives, calibrator value assignments, assay files, and other product-related documentation pertinent to Abbott’s laboratory diagnostic systems. Importantly, ShadowByt3$ asserts that no customer data was compromised, but rather that sensitive business documents and intellectual property were accessed. To substantiate their claims, the group provided BleepingComputer with screenshots and a file listing as purported evidence of the intrusion.
Abbott has acknowledged awareness of this "potential" cyber incident related to the LabCentral portal. However, the company has contested the threat actor’s characterization of the stolen data, asserting that all information within that specific environment is publicly available and not considered sensitive.
An Abbott spokesperson provided clarification on the LabCentral portal’s function: "LabCentral is an externally facing third-party hosted portal used by Abbott’s core laboratory diagnostics business. It houses publicly available technical product reference documents, including operating manuals, troubleshooting checklists and product specifications, and does not contain proprietary/sensitive customer or business information."
As of the latest reporting, neither ShinyHunters nor ShadowByt3$ has publicly released any of the data they claim to have exfiltrated from Abbott.
Broader Context and Potential Ramifications
These dual cybersecurity incidents underscore the persistent and evolving threat landscape faced by major corporations, particularly those within the critical healthcare sector. The ability of threat actors to exploit vulnerabilities in legacy systems, leverage sophisticated social engineering tactics, and target cloud-based authentication mechanisms highlights the need for continuous vigilance and robust security postures.
The alleged theft of millions of Social Security numbers and sensitive patient conversation notes by ShinyHunters, if proven true, would represent a significant data breach with potentially severe consequences for individuals and for Abbott’s reputation and regulatory standing. The healthcare industry is bound by stringent data privacy regulations, such as HIPAA in the United States, and any breach of protected health information (PHI) can result in substantial fines and legal liabilities.

The LabCentral incident, while Abbott characterizes the data as public, still raises questions about the security of third-party hosted platforms and the potential for intellectual property theft. Even if customer data is not compromised, the unauthorized access to technical documentation and product specifications could provide competitors with valuable insights or expose proprietary information.
The investigations into these incidents are ongoing. Abbott’s proactive response, including engaging cybersecurity experts and notifying law enforcement, is a standard and crucial step in mitigating the damage from such events. However, the mere fact that such incidents are occurring within a company of Abbott’s stature necessitates a thorough review of its security protocols, particularly concerning legacy systems and the human element of cybersecurity through social engineering awareness training.
The increasing targeting of medtech companies by groups like ShinyHunters suggests a strategic focus by cybercriminals on sectors that hold highly sensitive and valuable data, often with direct implications for patient well-being and critical infrastructure. As these threats continue to evolve, organizations like Abbott must remain at the forefront of cybersecurity innovation and defense to protect their operations, their data, and the trust of their customers and patients. The coming weeks and months will likely reveal more details as Abbott’s investigations progress and potentially, as threat actors decide whether to act on their claims of stolen data.







