New York-based ad tech company Optimizely has notified an undisclosed number of customers of a data breach after threat actors compromised some of its systems in a voice phishing attack.

Optimizely has nearly 1,500 employees across 21 global offices, and its customer list includes over 10,000 businesses, including high-profile brands like H&M, PayPal, Zoom, Toyota, Vodafone, Shell, Salesforce, and Nike.

In breach notification letters sent to affected customers, the company, the threat actors reached out on February 11, claiming they had access to its systems.

Optimizely also told BleepingComputer that the attackers breached some of its systems and stole what it described as "basic business contact information."

"The threat actor gained access to Optimizely's systems through a sophisticated voice-phishing attack, but was unable to escalate privileges, install software, or create any backdoors in the Optimizely environment, and we have no evidence that the threat actor was able to access sensitive customer data or personal information beyond basic business contact information," it said.

Optimizely also noted the "incident was confined to certain internal business systems, records in our CRM, and a limited set of internal documents used for back-office operations," and added that its "business operations continue without disruption."

The company also warned customers to be wary of attacks that could use some of the stolen data in further phishing attempts, which may use calls, texts, or emails to ask for passwords, MFA codes, or other credentials.

ShinyHunters links

While Optimizely didn't share how many customers had their information exposed in the data breach and has yet to name the threat actor behind the attack, it told affected customers that "the communication we received is consistent with the behavior of a loosely affiliated group who use sophisticated and aggressive social engineering tactics, most often involving voice phishing, to attempt to access their victims systems."

This hints that the attackers are likely part of the ShinyHunters extortion operation, which has claimed similar breaches at Canada Goose, Panera Bread, Betterment, SoundCloud, PornHub, fintech firm Figure, and online dating giant Match Group (which owns multiple popular dating services, including Tinder, Hinge, Meetic, Match.com, and OkCupid) in recent weeks.

While not all of these breaches are part of the same campaign, some victims had their systems compromised in a voice phishing (vishing) campaign targeting single sign-on (SSO) accounts at Microsoft, Okta, and Google across over 100 high-profile organizations.

In these attacks, threat actors impersonate targets' IT support, call employees, and trick them into entering credentials and multi-factor authentication (MFA) codes on phishing sites mimicking their companies' login portals.

As BleepingComputer first reported, the threat actors have also recently altered their social engineering attacks to use device code vishing, abusing the legitimate OAuth 2.0 device authorization grant flow to obtain Microsoft Entra authentication tokens.

Once in, they hijack the victim's SSO account and gain access to connected enterprise services, including Salesforce, Microsoft 365, Google Workspace, Zendesk, Dropbox, SAP, Slack, Adobe, Atlassian, and many others.