DentaQuest Was Reported at 744 Users. The Real Number Is 2.6 Million. We Said the Headcount Was the Leverage on May 29 — Here's the Receipt.

Nine days ago we published a post with a deliberately uncomfortable thesis: that ShinyHunters adding DentaQuest to its leak site was not about the file count it claimed, it was about the vertical it chose. At the time the claimed exfil, per public dark-web monitoring, was seven-hundred-forty-four users plus one third-party employee credential — a number small enough that a casual reader would have filed it under "minor incident, move on." We did not file it that way. We filed it as the Coinbase Cartel confederation's second vertical pivot of the month — Canvas was education, DentaQuest was dental insurance — and we said the through-line was consent-leak verticals chosen for class-action lethality, not for the size of the first tranche posted. This week the public number for DentaQuest came back, and it is two-point-six million accounts. The 744 was the down payment. The 2.6 million is the loan.

Here is why the gap between those two numbers is the entire story, and why it is the shape we keep drawing. When an extortion crew lists a victim, the number it advertises on the leak site is a negotiating instrument, not an inventory. It is the smallest credible sample that proves access while preserving the threat of the rest. Seven-hundred-forty-four named records says "we are inside and we can name your people." Two-point-six million says what was actually behind the door the whole time. The leak-site count is the muzzle flash; the breach count is the magazine. Anyone who priced DentaQuest off the 744 — including, we'd wager, some of DentaQuest's own early incident messaging — was reading the muzzle flash and calling it the weapon. We told you on May 29 that the leverage was the headcount the vertical implied, not the headcount the leak site advertised. The 2.6 million is that sentence cashed.

Now connect it to why the vertical was chosen, because that is the part that generalizes past DentaQuest. Dental and vision insurance is a consent-leak vertical: every record in it exists because a human signed a form authorizing the collection of their name, date of birth, government identifiers, dependents, and claims history. That is the exact field set that makes a class-action lawyer's job easy and an actuary's nightmare specific. The Coinbase Cartel — the loose confederation we named on May 21 that braids ShinyHunters, UNC6040-style Salesforce-pivot tradecraft, and Scattered-Spider-flavored social engineering — is not breaching these companies for the data's resale value alone. It is breaching them because the aftermath is the leverage: regulatory exposure, plaintiffs' counsel already circling, and a victim board that will pay to make the litigation tail shorter. Canvas proved the model when Instructure was reported to have paid roughly ten million dollars to ShinyHunters for the Canvas data back, complete with cryptographic shred logs. DentaQuest is the same play in a vertical where the records are even more class-action-shaped. The pattern is not "who has data worth stealing." It is "who has data whose leak is expensive enough to ransom."

So here is the protective read, because we do not publish escalation counts to gloat about a forecast. If you are an enterprise that holds consent-form PII at scale — insurance, benefits administration, education, healthcare adjacent, anything where users signed away a rich identity field set — the DentaQuest escalation is your tabletop for this quarter. Three moves. First, assume your leak-site number, if you ever get one, is a fraction and plan the notification, the regulatory clock, and the legal reserve against the whole store, not the advertised sample. The companies that got hurt worst this spring were the ones that messaged early off the small number and had to walk it back to the large one in public. Second, watch your Salesforce and SaaS OAuth grant surface specifically, because the Coinbase Cartel's signature initial access is not a firewall zero-day, it is a consented OAuth token and a convincing phone call — the soft surface, not the hard perimeter. Our STIX feed carries the UNC6040 and ShinyHunters infrastructure indicators at no cost, and our IOC index will answer a cross-correlation query on any indicator you are looking at. Third, if you are a DentaQuest member reading this, the practical step is the boring one that works: assume the full identity field set is out, freeze credit at all three bureaus, and treat any dental-insurance-themed phishing or "verify your benefits" call over the next year as hostile until proven otherwise. The class-action will take years; the freeze takes ten minutes.

The honest cap, 95% as always: we cannot independently confirm the 2.6 million to the individual record — that figure is from public breach reporting and DentaQuest's own incident disclosure surface, and final counts in these cases drift for months as forensics complete, sometimes up and occasionally down. We are not claiming we predicted the exact integer; we are claiming we told you the advertised number was the wrong number to plan against, and the direction of the correction was never in doubt. What we will not do is pretend the 744 was ever the story. The vertical was the story. The litigation tail was the story. The number was always the leverage, and now the number has a comma in it.

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register