ShinyHunters Expands Vishing Campaign Targeting High-Value Organizations with Advanced Phishing Kits
Okta researchers have uncovered a surge in voice-based social engineering attacks linked to the notorious extortion group ShinyHunters (also tracked as UNC6040), which has targeted over 100 high-value organizations in the past month. The group’s latest campaign leverages real-time phishing kits and hybrid vishing techniques to bypass multi-factor authentication (MFA) and steal credentials, session tokens, and sensitive data.
How the Attack Works
ShinyHunters employs "Live Phishing Panels" automated tools that enable man-in-the-middle (MitM) attacks on login sessions. Attackers impersonate IT support, guiding victims through fake MFA prompts while dynamically adjusting phishing pages to match legitimate authentication flows. For example:
- If a victim receives a push notification, the attacker instructs them to expect it, then manipulates the phishing site to display a fake confirmation.
- If the MFA method requires a one-time code, the attacker either provides the correct number (obtained in real time from the legitimate site) or modifies the phishing page to display it.
This approach defeats even push-based MFA, which was designed to counter automated phishing attacks.
Recent Data Breaches Linked to ShinyHunters
The group has claimed responsibility for data leaks from multiple companies, including:
- Dating apps: Hinge, Match, OkCupid, and Bumble (though Match Group stated no financial or login data was compromised).
- Other victims: SoundCloud, CrunchBase, Betterment, CarMax, Edmunds.com, and Panera Bread.
While the exact breach methods remain unconfirmed, researchers note the attacks align with ShinyHunters’ known tactics, including:
- Credential theft via phishing kits.
- Session token hijacking for SSO platforms like Okta.
- Data exfiltration from SaaS applications.
Broader Impact & Response
Okta’s advisory highlights a rise in similar attacks targeting Okta, Microsoft, and Google accounts, driven by commercial phishing kits optimized for voice-based social engineering. Cybersecurity firm Hudson Rock confirmed the leaked data matches ShinyHunters’ previous claims, reinforcing the group’s credibility.
Companies are advised to:
- Verify IT support calls through official channels.
- Audit OSS provider logs for suspicious device enrollments or new IP logins.
ShinyHunters, active since 2020, has a history of breaching major brands, often through employee account compromise. The latest campaign suggests an expansion of targets, with potential for further data leaks.
CarMax cybersecurity rating report: https://www.rankiteo.com/company/carmax
Edmunds cybersecurity rating report: https://www.rankiteo.com/company/edmunds-com
Match Group cybersecurity rating report: https://www.rankiteo.com/company/matchgroup
"id": "CAREDMMAT1769740948",
"linkid": "carmax, edmunds-com, matchgroup",
"type": "Breach",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Online Dating',
'name': 'Hinge',
'type': 'Dating app'},
{'industry': 'Online Dating',
'name': 'Match',
'type': 'Dating app'},
{'industry': 'Online Dating',
'name': 'OkCupid',
'type': 'Dating app'},
{'industry': 'Online Dating',
'name': 'Bumble',
'type': 'Dating app'},
{'industry': 'Technology/Media',
'name': 'SoundCloud',
'type': 'Music streaming platform'},
{'industry': 'Technology/Business Intelligence',
'name': 'CrunchBase',
'type': 'Business database'},
{'industry': 'FinTech',
'name': 'Betterment',
'type': 'Financial services'},
{'industry': 'Retail/Automotive',
'name': 'CarMax',
'type': 'Automotive retailer'},
{'industry': 'Retail/Automotive',
'name': 'Edmunds.com',
'type': 'Automotive research'},
{'industry': 'Food & Beverage',
'name': 'Panera Bread',
'type': 'Restaurant chain'},
{'industry': 'Multiple',
'name': 'Over 100 high-value organizations',
'type': 'Various'}],
'attack_vector': 'Voice-based social engineering, Man-in-the-Middle (MitM) '
'phishing, Fake MFA prompts',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (PII, corporate data)',
'type_of_data_compromised': 'Credentials, Session tokens, '
'Personally identifiable '
'information (PII), Sensitive '
'corporate data'},
'description': 'Okta researchers uncovered a surge in voice-based social '
'engineering attacks linked to the extortion group '
'ShinyHunters (UNC6040), targeting over 100 high-value '
'organizations. The campaign uses real-time phishing kits and '
'hybrid vishing techniques to bypass MFA, steal credentials, '
"session tokens, and sensitive data. The group employs 'Live "
"Phishing Panels' for man-in-the-middle attacks, dynamically "
'adjusting phishing pages to mimic legitimate authentication '
'flows, defeating even push-based MFA.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'data leaks',
'data_compromised': 'Credentials, Session tokens, Sensitive data, '
'Personally identifiable information (PII)',
'identity_theft_risk': 'High (PII exposure)',
'operational_impact': 'Compromised employee accounts, Unauthorized '
'access to corporate systems',
'systems_affected': 'Single Sign-On (SSO) platforms (Okta, '
'Microsoft, Google), SaaS applications'},
'initial_access_broker': {'data_sold_on_dark_web': 'Potential (historical '
'activity of ShinyHunters)',
'entry_point': 'Employee account compromise via '
'phishing/vishing',
'high_value_targets': 'SSO platforms (Okta, '
'Microsoft, Google), SaaS '
'applications'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Voice-based social engineering and real-time phishing '
'kits can bypass advanced MFA protections. Organizations '
'must verify IT support communications through official '
'channels and monitor for suspicious logins.',
'motivation': 'Extortion, Data theft, Financial gain, Credential harvesting',
'post_incident_analysis': {'corrective_actions': 'Enhanced employee training, '
'Stricter authentication '
'protocols, Continuous '
'monitoring of SSO platforms',
'root_causes': 'Lack of employee awareness of '
'vishing attacks, MFA bypass '
'techniques, Real-time phishing '
'kits'},
'recommendations': ['Verify IT support calls through official channels',
'Audit OSS provider logs for suspicious device '
'enrollments or new IP logins',
'Implement additional authentication layers beyond MFA',
'Monitor for unusual session activity'],
'references': [{'source': 'Okta Research'}, {'source': 'Hudson Rock'}],
'response': {'communication_strategy': 'Advisories to verify IT support calls '
'through official channels',
'remediation_measures': 'Audit OSS provider logs for suspicious '
'device enrollments or new IP logins',
'third_party_assistance': 'Okta researchers, Hudson Rock'},
'stakeholder_advisories': 'Companies advised to verify IT support calls and '
'audit logs for suspicious activity.',
'threat_actor': 'ShinyHunters (UNC6040)',
'title': 'ShinyHunters Expands Vishing Campaign Targeting High-Value '
'Organizations with Advanced Phishing Kits',
'type': 'Phishing/Vishing, Credential Theft, Data Breach, Session Hijacking',
'vulnerability_exploited': 'Multi-Factor Authentication (MFA) bypass, Session '
'token hijacking, Credential theft via phishing '
'kits'}