ShinyHunters Gang Behind Vishing Attacks Targeting SSO Accounts at Okta, Microsoft, and Google
The extortion group ShinyHunters has claimed responsibility for a series of voice phishing (vishing) attacks targeting single sign-on (SSO) accounts at Okta, Microsoft Entra, and Google, enabling threat actors to breach corporate SaaS platforms and steal data for extortion.
In these attacks, cybercriminals impersonate IT support staff, calling employees and tricking them into entering credentials and multi-factor authentication (MFA) codes on phishing sites mimicking legitimate login portals. Once compromised, the attackers gain access to the victim’s SSO account, which often serves as a gateway to connected enterprise applications, including Salesforce, Microsoft 365, Google Workspace, Dropbox, Slack, and Atlassian.
The phishing kits used in these attacks feature real-time control panels, allowing attackers to dynamically adjust phishing pages during calls prompting victims to approve MFA requests or enter one-time codes as needed. Okta confirmed the use of such kits in a recent report, though it declined to comment on the breaches themselves.
ShinyHunters told BleepingComputer that it is behind some of the attacks, with Salesforce as its primary target, though other platforms are also exploited. The group leverages stolen employee data including phone numbers, job titles, and names from previous breaches to make social engineering calls more convincing.
Recent victims listed on ShinyHunters’ Tor data leak site include SoundCloud, Betterment, and Crunchbase. While SoundCloud and Betterment had previously disclosed breaches, Crunchbase confirmed a new incident involving data exfiltration from its corporate network, though no operational disruptions occurred. The company has engaged cybersecurity experts and law enforcement.
Microsoft and Google have not reported evidence of their products being abused in the campaign, with Google stating it has no indication its systems were affected. ShinyHunters disputed Okta’s attribution of a specific phishing kit, claiming its infrastructure was built in-house.
okta cybersecurity rating report: https://www.rankiteo.com/company/okta
Salesforce cybersecurity rating report: https://www.rankiteo.com/company/salesforce
Google Workspace cybersecurity rating report: https://www.rankiteo.com/company/googleworkspace
"id": "OKTSALGOO1769222214",
"linkid": "okta, salesforce, googleworkspace",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Music Streaming',
'name': 'SoundCloud',
'type': 'Company'},
{'industry': 'Financial Services',
'name': 'Betterment',
'type': 'Company'},
{'industry': 'Business Information',
'name': 'Crunchbase',
'type': 'Company'},
{'industry': 'Identity and Access Management',
'name': 'Okta',
'type': 'Company'},
{'industry': 'Technology',
'name': 'Microsoft',
'type': 'Company'},
{'industry': 'Technology',
'name': 'Google',
'type': 'Company'}],
'attack_vector': 'Social Engineering (Impersonation of IT support staff), '
'Phishing Sites',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Employee data (phone '
'numbers, job titles, '
'names)',
'sensitivity_of_data': 'High (Personally Identifiable '
'Information, Corporate Data)',
'type_of_data_compromised': ['Employee credentials',
'MFA codes',
'Corporate data']},
'description': 'The extortion group ShinyHunters has claimed responsibility '
'for a series of voice phishing (vishing) attacks targeting '
'single sign-on (SSO) accounts at Okta, Microsoft Entra, and '
'Google, enabling threat actors to breach corporate SaaS '
'platforms and steal data for extortion. Attackers impersonate '
'IT support staff to trick employees into entering credentials '
'and MFA codes on phishing sites, gaining access to SSO '
'accounts and connected enterprise applications like '
'Salesforce, Microsoft 365, Google Workspace, Dropbox, Slack, '
'and Atlassian.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'data breaches',
'data_compromised': 'Corporate data, Employee credentials, MFA '
'codes',
'identity_theft_risk': 'High (stolen employee and customer data)',
'operational_impact': 'Data exfiltration, Unauthorized access to '
'corporate networks',
'systems_affected': ['SSO Accounts',
'SaaS Platforms (Salesforce, Microsoft 365, '
'Google Workspace, Dropbox, Slack, '
'Atlassian)']},
'initial_access_broker': {'entry_point': 'Vishing calls, Phishing sites',
'high_value_targets': ['Salesforce',
'Microsoft 365',
'Google Workspace']},
'investigation_status': 'Ongoing',
'motivation': 'Extortion, Data Theft',
'post_incident_analysis': {'root_causes': 'Social engineering, MFA bypass, '
'Credential theft'},
'references': [{'source': 'BleepingComputer'},
{'source': 'Okta Report'},
{'source': 'Crunchbase Statement'}],
'response': {'law_enforcement_notified': 'Yes (Crunchbase)',
'third_party_assistance': 'Cybersecurity experts engaged '
'(Crunchbase)'},
'threat_actor': 'ShinyHunters',
'title': 'ShinyHunters Gang Behind Vishing Attacks Targeting SSO Accounts at '
'Okta, Microsoft, and Google',
'type': 'Vishing (Voice Phishing)',
'vulnerability_exploited': 'Multi-factor Authentication (MFA) Bypass, '
'Credential Theft'}