Okta SSO accounts targeted in vishing-based data theft attacks

Recorded: Jan. 22, 2026, 10:03 p.m.

Original

News

Featured
Latest

Zendesk ticket systems hijacked in massive global spam wave

Hackers breach Fortinet FortiGate devices, steal firewall configs

Fake Lastpass emails pose as password vault backup alerts

Hackers exploit 29 zero-days on second day of Pwn2Own Automotive

Okta SSO accounts targeted in vishing-based data theft attacks

This $35 Swifdoo PDF editor license lasts for life

Curl ending bug bounty program after flood of AI slop reports

SmarterMail auth bypass flaw now exploited to hijack admin accounts

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityOkta SSO accounts targeted in vishing-based data theft attacks

Okta SSO accounts targeted in vishing-based data theft attacks

By Lawrence Abrams

January 22, 2026
04:43 PM
0

Okta is warning about custom phishing kits built specifically for voice-based social engineering (vishing) attacks. BleepingComputer has learned that these kits are being used in active attacks to steal Okta SSO credentials for data theft.
In a new report released today by Okta, researchers explain that the phishing kits are sold as part of an "as a service" model and are actively being used by multiple hacking groups to target identity providers, including Google, Microsoft, and Okta, and cryptocurrency platforms.
Unlike typical static phishing pages, these adversary-in-the-middle platforms are designed for live interaction via voice calls, allowing attackers to change content and display dialogs in real time as a call progresses.

The core features of these phishing kits are real-time manipulation of targets through scripts that give the caller direct control over the victim's authentication process.
As the victim enters credentials into the phishing page, those credentials are forwarded to the attacker, who then attempts to log in to the service while still on the call.

A C2 panel allowing real-time control of authentication flowsSource: Okta
When the service responds with an MFA challenge, such as a push notification or OTP, the attacker can select a new dialog that instantly updates the phishing page to match what the victim sees when attempting to log in. This synchronization makes fraudulent MFA requests appear legitimate.
Okta says these attacks are highly planned, with threat actors performing reconnaissance on a targeted employee, including which applications they use and the phone numbers associated with their company's IT support.
They then create customized phishing pages and call the victim using spoofed corporate or helpdesk numbers. When the victim enters their username and password on the phishing site, those credentials are relayed to the attacker's backend, commonly to Telegram channels operated by the threat actors.
This allows the attackers to immediately trigger real authentication attempts that display MFA challenges. While the threat actors are still on the phone with their target, they can direct the person to enter their MFA TOTP codes on the phishing site, which are then intercepted and used to log in to their accounts.
Okta says these platforms can bypass modern push-based MFA, including number matching, because attackers tell victims which number to select. At the same time, the phishing kit C2 causes the website to display a matching prompt in the browser.
Okta recommends that customers use phishing-resistant MFA such as Okta FastPass, FIDO2 security keys, or passkeys.
Attacks used for data theft
This advisory comes after BleepingComputer learned that Okta privately warned its customers' CISOs earlier this week about the ongoing social engineering attacks.
On Monday, BleepingComputer contacted Okta after learning that threat actors were calling targeted companies' employees to steal their Okta SSO credentials.
Okta is a cloud-based identity provider that acts as a central login system for many of the most widely used enterprise web services and cloud platforms.
Its single sign-on (SSO) service allows employees to authenticate once with Okta and then gain access to other platforms used by their company without having to log in again.
Platforms that integrate with Okta SSO include Microsoft 365, Google Workspace, Dropbox, Salesforce, Slack, Zoom, Box, Atlassian Jira and Confluence, Coupa, and many more.
Once logged in, Okta SSO users are given access to a dashboard that lists all of their company's services and platforms, allowing them to click and access them. This makes Okta SSO act as a gateway to a company's business-wide services.

Okta SSO dashboard gives SSO access to a company's platformsSource: Okta
At the same time, this makes the platform extremely valuable for threat actors, who now have access to the company's widely used cloud storage, marketing, development, CRM, and data analytics platforms.
BleepingComputer has learned that the social engineering attacks begin with threat actors calling employees and impersonating IT staff from their company. The threat actors offer to help the employee set up passkeys for logging into the Okta SSO service.
The attackers trick employees into visiting a specially crafted adversary-in-the-middle phishing site that captures their SSO credentials and TOTP codes, with some of the attacks relayed in real time through a Socket.IO server previously hosted at inclusivity-team[.]onrender.com.
The phishing websites are named after the company, and commonly contain the word "internal" or "my".
For example, if Google were targeted, the phishing sites might be named googleinternal[.] com or mygoogle[.]com.
Once an employee's credentials are stolen, the attacker logs in to the Okta SSO dashboard to see which platforms they have access to and then proceeds to steal data from them.
"We gained unauthorized access to your resources by using a social-engineering-based phishing attack to compromise an employee's SSO credentials," reads a security report sent by the threat actors to the victim and seen by BleepingComputer.
"We contacted various employees and convinced one to provide their SSO credentials, including TOTPs."
"We then looked through various apps on the employee's Okta dashboard that they had access to looking for ones that dealt with sensitive information. We mainly exfiltrated from Salesforce due to how easy it is to exfiltrate data from Salesforce. We highly suggest you to stray away from Salesforce, use something else."
Once they are detected, the threat actors immediately send extortion emails to the company, demanding payment to prevent the publication of data.
Sources tell BleepingComputer that some of the extortion demands sent by the threat actors are signed by ShinyHunters, a well-known extortion group behind many of last year's data breaches, including the widespread Salesforce data theft attacks.
BleepingComputer asked ShinyHunters to confirm if they were behind these attacks but they declined to comment.
At this time, BleepingComputer has been told that the threat actors are still actively targeting companies in the Fintech, Wealth management, financial, and advisory sectors.
Okta shared the following statement with BleepingComputer regarding our questions about these attacks.
"Keeping customers secure is our top priority. Okta’s Defensive Cyber Operations team routinely identifies phishing infrastructure configured to imitate an Okta sign-in page and proactively notifies vendors of their findings," reads a statement sent to BleepingComputer.
"It is clear how sophisticated and insidious phishing campaigns have become and it’s crucial that companies take all necessary measures to secure their systems and continue to educate their employees on vigilant security best practices."
"We provide our customers best practices and practical guidance to help them identify and prevent social engineering attacks, including the recommendations detailed in this security blog https://www.okta.com/blog/threat-intelligence/help-desks-targeted-in-social-engineering-targeting-hr-applications/ and the blog we published today https://www.okta.com/blog/threat-intelligence/phishing-kits-adapt-to-the-script-of-callers/."

The 2026 CISO Budget Benchmark
It's budget season! Over 300 CISOs and security leaders have shared how they're planning, spending, and prioritizing for the year ahead. This report compiles their insights, allowing readers to benchmark strategies, identify emerging trends, and compare their priorities as they head into 2026.
Learn how top leaders are turning investment into measurable impact.
Download Now

Related Articles:
Illinois man charged with hacking Snapchat accounts to steal nude photosHackers breach Fortinet FortiGate devices, steal firewall configsYou Got Phished? Of Course! You're Human...Harvard University discloses data breach affecting alumni, donorsMicrosoft Teams to add brand impersonation warnings to calls

Data Theft
Okta
Phishing
Single Sign-On
Social Engineering
SSO
TOTP Secret

Lawrence Abrams
Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies.

Popular Stories

Fortinet admins report patched FortiGate firewalls getting hacked

Ingram Micro says ransomware attack affected 42,000 people

Tesla hacked, 37 zero-days demoed at Pwn2Own Automotive 2026

Sponsor Posts

Identity Governance & Threat Detection in one: Get a guided tour of our platform

Overdue a password health-check? Audit your Active Directory for free

Discover how phishing kits are sold and deployed. Download the full research report.

Upcoming Webinar

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

Okta is issuing a critical warning regarding a sophisticated, newly emerging threat vector: adversary-in-the-middle phishing kits specifically designed for voice-based social engineering attacks, commonly referred to as “vishing.” BleepingComputer has investigated this trend, revealing that these kits are being actively utilized by multiple hacking groups to steal Okta Single Sign-On (SSO) credentials, impacting organizations across various sectors including Fintech, wealth management, and financial services. This methodology represents a significant escalation in social engineering tactics, exploiting the increasing reliance on SSO systems.

The core of the threat lies in the creation of “as a service” phishing kits. These kits are not static pages but rather dynamic platforms that adapt to the ongoing conversation with the targeted employee. Unlike traditional phishing websites, these kits are built around live interactions via voice calls. They allow attackers to manipulate the authentication process in real-time, directly responding to the employee's input within the call. This capability is achieved through custom scripts that give the caller immediate control over the victim’s authentication flow.

Threat actors meticulously plan these attacks, performing reconnaissance on targeted employees. This reconnaissance includes identifying the applications they use, and most importantly, obtaining their phone numbers. Based on this information, attackers craft meticulously tailored phishing pages that resemble legitimate corporate or helpdesk websites. They then initiate contact with the victim, presenting themselves as IT staff and offering assistance with setting up passkeys – a common method for securing Okta SSO access.

During the call, the attacker guides the employee to visit the specially designed phishing site. As the employee enters their username and password on the site, the credentials are immediately relayed to the attacker’s backend, often utilizing Telegram channels. A critical component of these kits is a C2 (Command and Control) panel, which facilitates real-time control over the authentication process. This C2 panel synchronizes the phishing website with the ongoing voice call, ensuring that the authentication prompts accurately reflect the information being presented during the call. For instance, if a push notification or Time-Based One-Time Password (TOTP) challenge is presented, the attacker can instantly update the phishing site to display the corresponding prompt, further enhancing the deception.

Okta researchers have discovered that these vishing kits are particularly effective at bypassing modern push-based MFA systems. The attackers skillfully instruct victims on which number to select during a push notification, effectively neutralizing the security measure.

The effectiveness of these attacks is bolstered by the attackers’ ability to maintain a continuous, live connection with the victim. The attacker uses the C2 panel to select the next challenge while talking with the victim, and captures the information entered by the victim in real time.

Central to the operation is the real-time exploitation of vulnerabilities within Okta SSO dashboards. Once the attacker has obtained the credentials, they immediately log into the dashboard to identify all the platforms to which the victim has access. These platforms range from widely-used applications like Salesforce, Microsoft 365, and Google Workspace, to more specialized tools like Atlassian Jira and Confluence. This immediate access allows the attacker to exfiltrate sensitive data, with reports indicating that Salesforce is a primary target due to the ease with which data can be extracted from it.

The threat actors are not simply content with collecting credentials; they are actively attempting to leverage their access to exfiltrate valuable data, including sensitive financial information, customer data, and intellectual property. Following initial compromise, the threat actors immediately send extortion emails to the affected company, demanding payment to prevent the public release of the stolen information. Notably, some extortion demands are being made by ShinyHunters, a notorious extortion group known for widespread data breaches, including the Salesforce data theft attacks of last year.

Okta is proactively mitigating this threat by continuously monitoring for and neutralizing phishing infrastructure. They routinely identify and notify vendors of identified phishing kits, demonstrating a defensive posture. Okta's Defensive Cyber Operations team is actively working to proactively mitigate phishing kits.

As a result of this complex and rapidly evolving threat, Okta recommends its customers implement robust phishing resistant MFA methods, such as Okta FastPass, FIDO2 security keys, or passkeys. This emphasizes the need for a layered security approach that includes both technical controls and employee training to combat increasingly sophisticated social engineering tactics. Furthermore, Okta is highlighting the importance of vigilant security best practices and comprehensive employee education.