The ShinyHunters extortion gang claims it is behind a wave of ongoing voice phishing attacks targeting single sign-on (SSO) accounts at Okta, Microsoft, and Google, enabling threat actors to breach corporate SaaS platforms and steal company data for extortion.

In these attacks, threat actors impersonate IT support and call employees, tricking them into entering their credentials and multi-factor authentication (MFA) codes on phishing sites that impersonate company login portals.

Once compromised, the attackers gain access to the victim's SSO account, which can provide access to other connected enterprise applications and services.

SSO services from Okta, Microsoft Entra, and Google enable companies to link third-party applications into a single authentication flow, giving employees access to cloud services, internal tools, and business platforms with a single login. 

These SSO dashboards typically list all connected services, making a compromised account a gateway into corporate systems and data.

Platforms commonly connected through SSO include Salesforce, Microsoft 365, Google Workspace, Dropbox, Adobe, SAP, Slack, Zendesk, Atlassian, and many others.

Vishing attacks used for data theft

As first reported by BleepingComputer, threat actors have been carrying out these attacks by calling employees and posing as IT staff, using social engineering to convince them to log into phishing pages and complete MFA challenges in real time.

After gaining access to a victim's SSO account, the attackers browse the list of connected applications and begin harvesting data from the platforms available to that user.

BleepingComputer is aware of multiple companies targeted in these attacks that have since received extortion demands signed by ShinyHunters, indicating that the group was behind the intrusions.

BleepingComputer contacted Okta earlier this week about the breaches, but the company declined to comment on the data theft attacks.

However, Okta released a report yesterday describing the phishing kits used in these voice-based attacks, which match what BleepingComputer has been told.

According to Okta, the phishing kits include a web-based control panel that allows attackers to dynamically change what a victim sees on a phishing site while speaking to them on the phone. This allows threat actors to guide victims through each step of the login and MFA authentication process.

If the attackers enter stolen credentials into the real service and are prompted for MFA, they can display new dialog boxes on the phishing site in real time to instruct a victim to approve a push notification, enter a TOTP code, or perform other authentication steps.

ShinyHunters claim responsibility

While ShinyHunters declined to comment on the attacks last night, the group confirmed to BleepingComputer this morning that it is responsible for some of the social engineering attacks.

"We confirm we are behind the attacks," ShinyHunters told BleepingComputer. "We are unable to share further details at this time, besides the fact that Salesforce remains our primary interest and target, the rest are benefactors."

The group also confirmed other aspects of BleepingComputer's reporting, including details about the phishing infrastructure and domains used in the campaign. However, it disputed that a screenshot of a phishing kit command-and-control server shared by Okta was for its platform, claiming instead that theirs was built in-house.

ShinyHunters claimed it is targeting not only Okta but also Microsoft Entra and Google SSO platforms.

Microsoft said it has nothing to share at this time, and Google said it had no evidence its products were being abused in the campaign.

"At this time, we have no indication that Google itself or its products are affected by this campaign," a Google spokesperson told BleepingComputer.

ShinyHunters claims to be using data stolen in previous breaches, such as the widespread Salesforce data theft attacks, to identify and contact employees. This data includes phone numbers, job titles, names, and other details used to make the social-engineering calls more convincing.

Last night, the group relaunched its Tor data leak site, which currently lists breaches at SoundCloud, Betterment, and Crunchbase.

SoundCloud previously disclosed a data breach in December 2025, while Betterment confirmed this month that its email platform had been abused to send cryptocurrency scams and that data was stolen.

Crunchbase, which had not previously disclosed a breach, confirmed today that data was stolen from its corporate network.

"Crunchbase detected a cybersecurity incident where a threat actor exfiltrated certain documents from our corporate network," a company spokesperson told BleepingComputer. "No business operations have been disrupted by this incident. We have contained the incident and our systems are secure."

"Upon detecting the incident we engaged cybersecurity experts and contacted federal law enforcement. We are reviewing the impacted information to determine if any notifications are required consistent with applicable legal requirements."