ShinyHunters Vishing Campaign Targets Okta SSO Accounts

The ShinyHunters extortion group has confirmed responsibility for an ongoing voice phishing campaign targeting enterprise single sign-on accounts at Okta, Microsoft, and Google. The attacks have already yielded breaches at Crunchbase, Betterment, and other organizations—with the group claiming it has compromised "a lot more" companies than it's disclosed.

This campaign represents an evolution of the attacks that compromised SoundCloud in December, expanding the target list to fintech firms and business intelligence platforms. ShinyHunters told BleepingComputer that "Salesforce remains our primary interest and target, the rest are benefactors."

How the Attacks Work

The vishing campaign follows a consistent playbook. Attackers impersonate IT support and call employees directly, convincing them to visit phishing sites that mimic company login portals. When victims enter credentials and approve MFA prompts, the attackers capture authenticated session tokens.

What makes these attacks effective is the sophistication of the phishing kits. Okta released a threat report this week explaining that the kits include web-based control panels allowing attackers to dynamically change what victims see during calls. As the attacker performs authentication attempts, they can display real-time dialog boxes instructing victims to approve push notifications or enter TOTP codes.

"These hybrid phishing operations are also capable of bypassing push notifications that use number challenge/number matching as an additional method of verification," Okta researchers noted.

The kits are sold as part of an "as a service" model and are being used by multiple hacking groups, not just ShinyHunters.

Confirmed Victims

ShinyHunters leaked data from multiple organizations on Friday:

Crunchbase - The business intelligence company confirmed to BleepingComputer that "a threat actor exfiltrated certain documents from our corporate network." ShinyHunters claims the dump contains over 2 million records.

Betterment - The financial advisory firm's data has been published. ShinyHunters claims more than 20 million records from this breach alone. Compromised Betterment accounts have subsequently been abused to promote cryptocurrency scams.

SoundCloud - The streaming platform disclosed its breach in December, confirming approximately 28 million user accounts were affected. That total has since grown to over 30 million records in ShinyHunters' possession.

The group says it accessed these organizations by vishing Okta SSO credentials, then pivoting to connected enterprise applications like Salesforce, Microsoft 365, Google Workspace, Dropbox, and Slack.

Targeted Industries

ShinyHunters is focusing on specific verticals where SSO access provides maximum value:

• Financial technology
• Wealth management
• Business intelligence
• Advisory services

The fintech focus makes sense. These organizations handle sensitive financial data, and their Salesforce instances often contain customer financial records, transaction histories, and personally identifiable information that's valuable for extortion.

Platform Responses

Microsoft declined to comment on the attacks. Google stated: "We have no indication that Google itself or its products are affected by this campaign." Okta released its threat report on the phishing kits but declined to comment on specific customer breaches.

The measured responses underscore a difficult reality: the SSO providers can't prevent social engineering attacks that trick employees into authenticating on fake login pages. The authentication itself is legitimate—it's the session that gets stolen.

Why This Matters

Voice phishing isn't new, but the combination with real-time phishing kits creates something more dangerous. Traditional phishing pages are static—they capture credentials and hope the MFA code is still valid by the time the attacker uses it. These AitM (adversary-in-the-middle) platforms keep the victim engaged while the attacker authenticates simultaneously, defeating time-based protections.

For organizations relying on Okta, Microsoft Entra, or Google Workspace for SSO, the implications are significant. MFA remains important, but it's not sufficient when attackers can intercept sessions in real time. Organizations should review our phishing defense guidance and consider additional controls like hardware security keys and conditional access policies that limit sessions to managed devices.

ShinyHunters continues adding victims. With custom vishing kits widely available and the group's track record of following through on data leaks, organizations in the fintech and advisory space should assume they're potential targets.