Listen to this Post
Introduction: A Familiar Name Returns With a New Access Path
The ShinyHunters extortion group has resurfaced with a campaign that blends old-school phone calls with modern cloud identity abuse. Instead of exploiting software vulnerabilities, the group claims it is breaching companies by targeting their most valuable digital choke point: single sign-on (SSO) accounts tied to platforms like Okta, Microsoft Entra, and Google. By impersonating IT staff and manipulating employees in real time, the attackers are allegedly gaining access to entire SaaS ecosystems and using stolen data as leverage for extortion.
Overview of the Alleged Campaign
ShinyHunters claims responsibility for an ongoing wave of voice phishing, or vishing, attacks aimed at corporate employees.
How the Vishing Attacks Begin
Attackers call employees directly while posing as internal IT support staff.
Social Engineering as the Primary Weapon
Victims are convinced that their accounts need urgent verification or troubleshooting.
Credential and MFA Harvesting in Real Time
Employees are guided to phishing pages that closely mimic legitimate login portals.
Abuse of Multi-Factor Authentication
Victims are tricked into entering MFA codes or approving push notifications during the call.
Compromise of SSO Accounts
Once credentials are captured, attackers gain access to the employee’s SSO dashboard.
Why SSO Accounts Are High-Value Targets
SSO platforms provide centralized access to dozens of enterprise services.
A Single Login, Many Doors
Compromised SSO credentials can unlock cloud apps, internal tools, and business systems.
Commonly Accessed SaaS Platforms
Attackers can reach services like Salesforce, Microsoft 365, Google Workspace, Slack, SAP, and more.
Post-Compromise Activity
Threat actors reportedly browse connected apps and begin harvesting accessible data.
Data Theft as a Precursor to Extortion
Stolen corporate data is later used to pressure organizations into paying ransom demands.
Victims Receive Extortion Notes
Several targeted companies have reportedly received demands signed by ShinyHunters.
BleepingComputer’s Initial Reporting
The campaign was first detailed publicly by BleepingComputer.
Okta’s Initial Silence
Okta declined to comment directly on the reported breaches.
Okta’s Follow-Up Disclosure
Okta later published a report describing phishing kits linked to voice-based attacks.
Dynamic Phishing Infrastructure
The kits include control panels that change phishing page content in real time.
Real-Time Victim Manipulation
Attackers can adapt instructions while speaking to the victim on the phone.
MFA Prompt Simulation
Fake dialogs can request TOTP codes, push approvals, or other authentication steps.
ShinyHunters Confirms Partial Responsibility
The group later confirmed it was behind some of the attacks.
Focus on Salesforce Data
ShinyHunters stated Salesforce remains its primary target.
Other Platforms as Secondary Targets
Okta, Microsoft Entra, and Google are described as access enablers rather than end goals.
Dispute Over Infrastructure Screenshots
The group claims its phishing platform is built in-house.
Expansion Beyond a Single Identity Provider
ShinyHunters says it is not limiting attacks to Okta alone.
Microsoft’s Response
Microsoft stated it had nothing to share at this time.
Google’s Position
Google said it has no evidence its products are affected.
Use of Previously Stolen Data
The group claims to leverage old breach data to identify employees.
Personal Details Increase Credibility
Names, job titles, and phone numbers make calls more convincing.
Revival of the ShinyHunters Leak Site
The group recently relaunched its Tor-based data leak platform.
Companies Listed on the Leak Site
SoundCloud, Betterment, and Crunchbase are currently named.
SoundCloud’s Prior Disclosure
SoundCloud acknowledged a data breach in December 2025.
Betterment’s Recent Admission
Betterment confirmed abuse of its email platform and data theft.
Crunchbase Confirms a Breach
Crunchbase disclosed that documents were exfiltrated from its network.
Law Enforcement Involvement
Crunchbase engaged cybersecurity experts and federal authorities.
What Undercode Say: Why This Campaign Is More Dangerous Than It Looks
Identity Is the New Perimeter
This campaign highlights how identity systems have replaced network firewalls as the primary security boundary.
SSO Turns Small Mistakes Into Massive Breaches
One employee’s error can expose an entire SaaS ecosystem.
MFA Is Not a Silver Bullet
Multi-factor authentication fails when users are manipulated in real time.
Vishing Bypasses Technical Controls
Phone calls exploit human trust, not software flaws.
Real-Time Phishing Changes the Game
Dynamic phishing pages remove the usual friction that alerts victims.
SSO Dashboards Are Treasure Maps
They conveniently list every service an attacker can access next.
Salesforce as a Strategic Target
CRM platforms contain customer data, contracts, and internal communications.
Data Theft Over Ransomware
Extortion without encryption reduces noise and speeds monetization.
ShinyHunters’ Evolution
The group continues shifting tactics rather than disappearing.
Reuse of Old Breach Data
Historic leaks are now fueling new intrusion campaigns.
Long Tail of Past Breaches
Data stolen years ago still enables fresh attacks today.
Trust in IT Is Being Weaponized
Employees are conditioned to comply with IT requests quickly.
Voice Channels Are Underprotected
Most security programs focus on email, not phone-based threats.
Security Awareness Gaps
Few employees are trained to challenge live support calls.
Lack of Verification Processes
Organizations rarely require call-back or ticket verification.
SSO Logging Isn’t Enough
Logs show access, not coercion.
Detection Comes Too Late
Most victims learn about breaches after data is stolen.
Extortion as a Business Model
Public shaming and data leaks replace disruptive ransomware.
SaaS Sprawl Increases Risk
More integrations mean more blast radius.
Third-Party Dependency Blind Spots
Security teams often underestimate SaaS interconnections.
Vendor Security Is Not Enough
Even secure platforms fail when credentials are compromised.
Identity-Centric Defense Is Mandatory
Access governance must match identity centralization.
Behavioral Signals Matter
Unusual login behavior should trigger immediate review.
MFA Fatigue Is Still Exploitable
Push-based MFA remains a weak link.
Voice Phishing Will Scale
Automation and scripts will make vishing cheaper and faster.
Law Enforcement Pressure Is Limited
Cross-border actors face minimal immediate consequences.
Public Leak Sites Amplify Pressure
Naming victims accelerates ransom decisions.
Reputation Damage Outweighs Downtime
Data exposure harms trust more than temporary outages.
CISOs Must Rethink Training
Human-centric attacks require human-centric defenses.
Zero Trust Needs a Human Layer
Technology alone cannot stop persuasion-based intrusions.
ShinyHunters as a Case Study
This campaign shows where modern enterprise security still breaks.
Fact Checker Results
Claim of Responsibility
✅ ShinyHunters publicly confirmed involvement in some of the attacks.
Technical Consistency
✅ Okta’s description of phishing kits aligns with reported attack behavior.
Platform Impact Claims
❌ Google states it has no evidence its products are affected.
Prediction: What Comes Next
Expansion of Vishing Campaigns
📞 Voice-based attacks will become more common in enterprise breaches.
Identity Security Investment Surge
🔐 Organizations will prioritize SSO and identity threat detection.
Data Extortion Over Encryption
💰 More groups will abandon ransomware in favor of pure data theft.
🕵️📝✔️Let’s dive deep and fact‑check.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub (Possible Sources for article):
https://www.medium.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
Bing
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon
