The ShinyHunters extortion gang claims it’s behind a wave of ongoing voice phishing assaults focusing on single sign-on (SSO) accounts at Okta, Microsoft, and Google, enabling risk actors to breach company SaaS platforms and steal firm information for extortion.
In these assaults, risk actors impersonate IT assist and name staff, tricking them into coming into their credentials and multi-factor authentication (MFA) codes on phishing websites that impersonate firm login portals.
As soon as compromised, the attackers achieve entry to the sufferer’s SSO account, which may present entry to different related enterprise purposes and companies.
SSO companies from Okta, Microsoft Entra, and Google allow corporations to hyperlink third-party purposes right into a single authentication stream, giving staff entry to cloud companies, inside instruments, and enterprise platforms with a single login.
These SSO dashboards sometimes checklist all related companies, making a compromised account a gateway into company programs and information.
Platforms generally related by way of SSO embody Salesforce, Microsoft 365, Google Workspace, Dropbox, Adobe, SAP, Slack, Zendesk, Atlassian, and lots of others.
Supply: Microsoft
Vishing assaults used for information theft
As first reported by BleepingComputer, risk actors have been finishing up these assaults by calling staff and posing as IT workers, utilizing social engineering to persuade them to log into phishing pages and full MFA challenges in actual time.
After getting access to a sufferer’s SSO account, the attackers browse the checklist of related purposes and start harvesting information from the platforms accessible to that person.
BleepingComputer is conscious of a number of corporations focused in these assaults which have since obtained extortion calls for signed by ShinyHunters, indicating that the group was behind the intrusions.
BleepingComputer contacted Okta earlier this week concerning the breaches, however the firm declined to touch upon the information theft assaults.
Nonetheless, Okta launched a report yesterday describing the phishing kits utilized in these voice-based assaults, which match what BleepingComputer has been informed.
In response to Okta, the phishing kits embody a web-based management panel that permits attackers to dynamically change what a sufferer sees on a phishing web site whereas talking to them on the telephone. This permits risk actors to information victims by way of every step of the login and MFA authentication course of.
If the attackers enter stolen credentials into the true service and are prompted for MFA, they’ll show new dialog bins on the phishing web site in actual time to instruct a sufferer to approve a push notification, enter a TOTP code, or carry out different authentication steps.
Supply: Okta
ShinyHunters declare accountability
Whereas ShinyHunters declined to touch upon the assaults final night time, the group confirmed to BleepingComputer this morning that it’s liable for among the social engineering assaults.
“We affirm we’re behind the assaults,” ShinyHunters informed BleepingComputer. “We’re unable to share additional particulars at the moment, apart from the truth that Salesforce stays our main curiosity and goal, the remaining are benefactors.”
The group additionally confirmed different elements of BleepingComputer’s reporting, together with particulars concerning the phishing infrastructure and domains used within the marketing campaign. Nonetheless, it disputed {that a} screenshot of a phishing package command-and-control server shared by Okta was for its platform, claiming as an alternative that theirs was constructed in-house.
ShinyHunters claimed it’s focusing on not solely Okta but in addition Microsoft Entra and Google SSO platforms.
Microsoft mentioned it has nothing to share at the moment, and Google mentioned it had no proof its merchandise had been being abused within the marketing campaign.
“Right now, we have now no indication that Google itself or its merchandise are affected by this marketing campaign,” a Google spokesperson informed BleepingComputer.
ShinyHunters claims to be utilizing information stolen in earlier breaches, such because the widespread Salesforce information theft assaults, to determine and speak to staff. This information contains telephone numbers, job titles, names, and different particulars used to make the social-engineering calls extra convincing.
Final night time, the group relaunched its Tor information leak web site, which at the moment lists breaches at SoundCloud, Betterment, and Crunchbase.
SoundCloud beforehand disclosed an information breach in December 2025, whereas Betterment confirmed this month that its e mail platform had been abused to ship cryptocurrency scams and that information was stolen.
Crunchbase, which had not beforehand disclosed a breach, confirmed as we speak that information was stolen from its company community.
“Crunchbase detected a cybersecurity incident the place a risk actor exfiltrated sure paperwork from our company community,” an organization spokesperson informed BleepingComputer. “No enterprise operations have been disrupted by this incident. We’ve contained the incident and our programs are safe.”
“Upon detecting the incident we engaged cybersecurity specialists and contacted federal legislation enforcement. We’re reviewing the impacted data to find out if any notifications are required per relevant authorized necessities.”
Whether or not you are cleansing up previous keys or setting guardrails for AI-generated code, this information helps your workforce construct securely from the beginning.
Get the cheat sheet and take the guesswork out of secrets and techniques administration.
