The ShinyHunters extortion gang claims it is behind a wave of ongoing voice phishing attacks targeting single sign-on (SSO) accounts at Okta, Microsoft, and Google, enabling threat actors to breach corporate SaaS platforms and steal company data for extortion.
In these attacks, threat actors impersonate IT support and call employees, tricking them into entering their credentials and multi-factor authentication (MFA) codes on phishing sites that impersonate company login portals.
Once compromised, the attackers gain access to the victim’s SSO account, which can provide access to other connected enterprise applications and services.
SSO services from Okta, Microsoft Entra, and Google enable companies to link third-party applications into a single authentication flow, giving employees access to cloud services, internal tools, and business platforms with a single login.
These SSO dashboards typically list all connected services, making a compromised account a gateway into corporate systems and data.
Platforms commonly connected through SSO include Salesforce, Microsoft 365, Google Workspace, Dropbox, Adobe, SAP, Slack, Zendesk, Atlassian, and many others.
Source: Microsoft
Vishing attacks used for data theft
As first reported by , threat actors have been carrying out these attacks by calling employees and posing as IT staff, using social engineering to convince them to log into phishing pages and complete MFA challenges in real time.
After gaining access to a victim’s SSO account, the attackers browse the list of connected applications and begin harvesting data from the platforms available to that user.
is aware of multiple companies targeted in these attacks that have since received extortion demands signed by ShinyHunters, indicating that the group was behind the intrusions.
contacted Okta earlier this week about the breaches, but the company declined to comment on the data theft attacks.
However, Okta released a report yesterday describing the phishing kits used in these voice-based attacks, which match what has been told.
According to Okta, the phishing kits include a web-based control panel that allows attackers to dynamically change what a victim sees on a phishing site while speaking to them on the phone. This allows threat actors to guide victims through each step of the login and MFA authentication process.
If the attackers enter stolen credentials into the real service and are prompted for MFA, they can display new dialog boxes on the phishing site in real time to instruct a victim to approve a push notification, enter a TOTP code, or perform other authentication steps.
Source: Okta
ShinyHunters claim responsibility
While ShinyHunters declined to comment on the attacks last night, the group confirmed to this morning that it is responsible for some of the social engineering attacks.
“We confirm we are behind the attacks,” ShinyHunters told . “We are unable to share further details at this time, besides the fact that Salesforce remains our primary interest and target, the rest are benefactors.”
The group also confirmed other aspects of ‘s reporting, including details about the phishing infrastructure and domains used in the campaign. However, it disputed that a screenshot of a phishing kit command-and-control server shared by Okta was for its platform, claiming instead that theirs was built in-house.
ShinyHunters claimed it is targeting not only Okta but also Microsoft Entra and Google SSO platforms.
Microsoft said it has nothing to share at this time, and Google said it had no evidence its products were being abused in the campaign.
“At this time, we have no indication that Google itself or its products are affected by this campaign,” a Google spokesperson told .
ShinyHunters claims to be using data stolen in previous breaches, such as the widespread Salesforce data theft attacks, to identify and contact employees. This data includes phone numbers, job titles, names, and other details used to make the social-engineering calls more convincing.
Last night, the group relaunched its Tor data leak site, which currently lists breaches at SoundCloud, Betterment, and Crunchbase.
SoundCloud previously disclosed a data breach in December 2025, while Betterment confirmed this month that its email platform had been abused to send cryptocurrency scams and that data was stolen.
Crunchbase, which had not previously disclosed a breach, confirmed today that data was stolen from its corporate network.
“Crunchbase detected a cybersecurity incident where a threat actor exfiltrated certain documents from our corporate network,” a company spokesperson told . “No business operations have been disrupted by this incident. We have contained the incident and our systems are secure.”
“Upon detecting the incident we engaged cybersecurity experts and contacted federal law enforcement. We are reviewing the impacted information to determine if any notifications are required consistent with applicable legal requirements.”
.ia_ad {
background-color: #f0f6ff;
width: 95%;
max-width: 800px;
margin: 15px auto;
border-radius: 8px;
border: 1px solid #d6ddee;
display: flex;
align-items: stretch;
padding: 0;
overflow: hidden;
}
.ia_lef {
flex: 1;
max-width: 200px;
height: auto;
display: flex;
align-items: stretch;
}
.ia_lef a {
display: flex;
width: 100%;
height: 100%;
}
.ia_lef a img {
width: 100%;
height: 100%;
border-radius: 8px 0 0 8px;
margin: 0;
display: block;
}
.ia_rig {
flex: 2;
padding: 10px;
display: flex;
flex-direction: column;
justify-content: center;
}
.ia_rig h2 {
font-size: 17px !important;
font-weight: 700;
color: #333;
line-height: 1.4;
font-family: Georgia, “Times New Roman”, Times, serif;
margin: 0 0 14px 0;
}
.ia_rig p {
font-weight: bold;
font-size: 14px;
margin: 0 0 clamp(6px, 2vw, 14px) 0;
}
.ia_button {
background-color: #FFF;
border: 1px solid #3b59aa;
color: black;
text-align: center;
text-decoration: none;
border-radius: 8px;
display: inline-block;
font-size: 16px;
font-weight: bold;
cursor: pointer;
padding: 10px 20px;
width: fit-content;
}
.ia_button a {
text-decoration: none;
color: inherit;
display: block;
}
@media (max-width: 600px) {
.ia_ad {
flex-direction: column;
align-items: center;
}
.ia_lef {
max-width: 100%;
}
.ia_lef a img {
border-radius: 8px 8px 0 0;
}
.ia_rig {
padding: 15px;
width: 100%;
}
.ia_button {
width: 100%;
margin: 0px auto;
}
}
The 2026 CISO Budget Benchmark
It’s budget season! Over 300 CISOs and security leaders have shared how they’re planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.
Learn how top leaders are turning investment into measurable impact.
Comments