ShinyHunters claim to be behind SSO-account data theft attacks

Recorded: Jan. 24, 2026, 2 a.m.

Original

News

Featured
Latest

Fortinet confirms critical FortiCloud auth bypass not fully patched

Okta SSO accounts targeted in vishing-based data theft attacks

Hackers exploit critical telnetd auth bypass flaw to get root

Hackers get $1,047,000 for 76 zero-days at Pwn2Own Automotive 2026

ShinyHunters claim to be behind SSO-account data theft attacks

Malicious AI extensions on VSCode Marketplace steal developer data

CISA confirms active exploitation of four enterprise software bugs

US to deport Venezuelans who emptied bank ATMs using malware

Tutorials

Latest
Popular

How to access the Dark Web using the Tor Browser

How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11

How to use the Windows Registry Editor

How to backup and restore the Windows Registry

How to start Windows in Safe Mode

How to remove a Trojan, Virus, Worm, or other Malware

How to show hidden files in Windows 7

How to see hidden files in Windows

Webinars
Downloads

Latest
Most Downloaded

Qualys BrowserCheck

STOPDecrypter

AuroraDecrypter

FilesLockerDecrypter

AdwCleaner

ComboFix

RKill

Junkware Removal Tool

Deals

Categories

eLearning

IT Certification Courses

Gear + Gadgets

Security

VPNs

Popular

Best VPNs

How to change IP address

Access the dark web safely

Best VPN for YouTube

Forums
More

Virus Removal Guides
Startup Database
Uninstall Database
Glossary
Send us a Tip!
Welcome Guide

HomeNewsSecurityShinyHunters claim to be behind SSO-account data theft attacks

ShinyHunters claim to be behind SSO-account data theft attacks

By Lawrence Abrams

January 23, 2026
06:35 PM
0

The ShinyHunters extortion gang claims it is behind a wave of ongoing voice phishing attacks targeting single sign-on (SSO) accounts at Okta, Microsoft, and Google, enabling threat actors to breach corporate SaaS platforms and steal company data for extortion.
In these attacks, threat actors impersonate IT support and call employees, tricking them into entering their credentials and multi-factor authentication (MFA) codes on phishing sites that impersonate company login portals.
Once compromised, the attackers gain access to the victim's SSO account, which can provide access to other connected enterprise applications and services.

SSO services from Okta, Microsoft Entra, and Google enable companies to link third-party applications into a single authentication flow, giving employees access to cloud services, internal tools, and business platforms with a single login.
These SSO dashboards typically list all connected services, making a compromised account a gateway into corporate systems and data.
Platforms commonly connected through SSO include Salesforce, Microsoft 365, Google Workspace, Dropbox, Adobe, SAP, Slack, Zendesk, Atlassian, and many others.

Microsoft Entra single sign-on (SSO) dashboardSource: Microsoft
Vishing attacks used for data theft
As first reported by BleepingComputer, threat actors have been carrying out these attacks by calling employees and posing as IT staff, using social engineering to convince them to log into phishing pages and complete MFA challenges in real time.
After gaining access to a victim's SSO account, the attackers browse the list of connected applications and begin harvesting data from the platforms available to that user.
BleepingComputer is aware of multiple companies targeted in these attacks that have since received extortion demands signed by ShinyHunters, indicating that the group was behind the intrusions.
BleepingComputer contacted Okta earlier this week about the breaches, but the company declined to comment on the data theft attacks.
However, Okta released a report yesterday describing the phishing kits used in these voice-based attacks, which match what BleepingComputer has been told.
According to Okta, the phishing kits include a web-based control panel that allows attackers to dynamically change what a victim sees on a phishing site while speaking to them on the phone. This allows threat actors to guide victims through each step of the login and MFA authentication process.
If the attackers enter stolen credentials into the real service and are prompted for MFA, they can display new dialog boxes on the phishing site in real time to instruct a victim to approve a push notification, enter a TOTP code, or perform other authentication steps.

A phishing kit lets attackers display different dialogs while calling victimsSource: Okta
ShinyHunters claim responsibility
While ShinyHunters declined to comment on the attacks last night, the group confirmed to BleepingComputer this morning that it is responsible for some of the social engineering attacks.
"We confirm we are behind the attacks," ShinyHunters told BleepingComputer. "We are unable to share further details at this time, besides the fact that Salesforce remains our primary interest and target, the rest are benefactors."
The group also confirmed other aspects of BleepingComputer's reporting, including details about the phishing infrastructure and domains used in the campaign. However, it disputed that a screenshot of a phishing kit command-and-control server shared by Okta was for its platform, claiming instead that theirs was built in-house.
ShinyHunters claimed it is targeting not only Okta but also Microsoft Entra and Google SSO platforms.
Microsoft said it has nothing to share at this time, and Google said it had no evidence its products were being abused in the campaign.
"At this time, we have no indication that Google itself or its products are affected by this campaign," a Google spokesperson told BleepingComputer.
ShinyHunters claims to be using data stolen in previous breaches, such as the widespread Salesforce data theft attacks, to identify and contact employees. This data includes phone numbers, job titles, names, and other details used to make the social-engineering calls more convincing.
Last night, the group relaunched its Tor data leak site, which currently lists breaches at SoundCloud, Betterment, and Crunchbase.
SoundCloud previously disclosed a data breach in December 2025, while Betterment confirmed this month that its email platform had been abused to send cryptocurrency scams and that data was stolen.
Crunchbase, which had not previously disclosed a breach, confirmed today that data was stolen from its corporate network.
"Crunchbase detected a cybersecurity incident where a threat actor exfiltrated certain documents from our corporate network," a company spokesperson told BleepingComputer. "No business operations have been disrupted by this incident. We have contained the incident and our systems are secure."
"Upon detecting the incident we engaged cybersecurity experts and contacted federal law enforcement. We are reviewing the impacted information to determine if any notifications are required consistent with applicable legal requirements."

7 Security Best Practices for MCP
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.
Download Now

Related Articles:
Okta SSO accounts targeted in vishing-based data theft attacksMalicious AI extensions on VSCode Marketplace steal developer dataMicrosoft: Outlook for iOS crashes, freezes due to coding errorFortinet confirms critical FortiCloud auth bypass not fully patchedMicrosoft Teams to add brand impersonation warnings to calls

Google
Microsoft
Microsoft Entra
Okta
ShinyHunters
SSO
Vishing

Lawrence Abrams
Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies.

Popular Stories

Fortinet admins report patched FortiGate firewalls getting hacked

Hackers breach Fortinet FortiGate devices, steal firewall configs

Zendesk ticket systems hijacked in massive global spam wave

Sponsor Posts

Discover how phishing kits are sold and deployed. Download the full research report.

Overdue a password health-check? Audit your Active Directory for free

Identity Governance & Threat Detection in one: Get a guided tour of our platform

Exposure Management Index: Insights From 3,000+ Teams. Get The Report.

Upcoming Webinar

Main Sections

News
Webinars
VPN Buyer Guides
SysAdmin Software Guides
Downloads
Virus Removal Guides
Tutorials
Startup Database
Uninstall Database
Glossary

Community

Forums
Forum Rules
Chat

Useful Resources

Welcome Guide
Sitemap

Company

About BleepingComputer
Contact Us
Send us a Tip!
Advertising
Write for BleepingComputer
Social & Feeds
Changelog

Username

Password

Remember Me

Not a member yet? Register Now

Reporter

Help us understand the problem. What is going on with this comment?

Spam

Abusive or Harmful

Inappropriate content

Strong language

Other

Read our posting guidelinese to learn what content is prohibited.

Submitting...
SUBMIT

ShinyHunters are implicated in a series of sophisticated data theft attacks targeting single sign-on (SSO) accounts across platforms including Okta, Microsoft Entra, and Google. These attacks leverage voice phishing, or “vishing,” where attackers impersonate IT support to trick employees into divulging credentials and multi-factor authentication (MFA) codes. The group’s objective is to gain access to connected corporate SaaS applications and services via compromised SSO dashboards, which aggregate access to numerous enterprise platforms like Salesforce, Microsoft 365, and Adobe.

The attacks are facilitated through custom-built phishing kits. These kits, as demonstrated by Okta, dynamically change the content displayed to victims during phone calls, guiding them through the authentication process in real time. Attackers utilize stolen data from previous breaches, notably widespread Salesforce data theft, to target specific individuals based on information like phone numbers, job titles, and names. The group's current tactics involve relaunching a data leak site listing breaches at SoundCloud, Betterment, and Crunchbase.

ShinyHunters are utilizing a coordinated approach, combining established techniques with recently acquired data. The group has confirmed its involvement through communication with BleepingComputer. Their methodology is particularly concerning because of the interconnected nature of SSO systems. A successful compromise through one platform can quickly lead to access across a vast network of applications. The use of meticulously crafted phishing kits combined with stolen data highlights the sophistication of the group’s operations.

The impact of these attacks underscores the critical importance of robust security protocols, including thorough employee training on identifying and avoiding phishing scams. Furthermore, organizations need to implement strong MFA measures, regularly review connected applications via their SSO dashboards to minimize vulnerabilities, and monitor access logs for suspicious activity. The ongoing threat posed by ShinyHunters necessitates vigilance and a proactive approach to security management.