The ShinyHunters cybercrime group has claimed responsibility for a large-scale voice phishing operation targeting single sign-on credentials at roughly 100 organizations. The group has already leaked data from SoundCloud (affecting 28 million users), Crunchbase (2+ million records), and Betterment (20+ million records), with additional breaches expected.
The campaign represents a growing threat to organizations relying on SSO platforms for authentication. ShinyHunters gained access to Crunchbase and Betterment by voice-phishing their Okta single sign-on codes, demonstrating how effective these social engineering attacks have become.
The Mechanics of the Attack
ShinyHunters’ approach involves attackers impersonating IT support staff and calling employees directly. During these calls, victims are guided through entering their credentials and multi-factor authentication codes on phishing sites that closely mimic legitimate company login portals.
The phishing infrastructure is more sophisticated than typical scam operations. Research from Okta reveals that attackers use web-based control panels allowing them to dynamically change what victims see on phishing sites in real time. This enables threat actors to walk victims through each step of the login and MFA authentication process while on the phone.
Once inside an SSO account, attackers gain access to all connected enterprise applications. Okta, Microsoft Entra, and Google SSO platforms centralize authentication for dozens or hundreds of business tools, making compromised SSO credentials particularly valuable. ShinyHunters can then pivot into SaaS environments, exfiltrate sensitive data, and in many cases, move laterally through connected services before the breach is detected.
Why SSO Platforms Are Prime Targets
The same features that make SSO platforms convenient for legitimate users make them attractive targets for attackers. One set of credentials provides access to Salesforce, internal tools, cloud services, financial platforms, and other business applications.
Google’s Mandiant team confirmed they’re tracking this ongoing campaign. Mandiant Consulting CTO Charles Carmakal noted that the group uses “evolved” voice-phishing techniques to compromise SSO credentials and enroll threat actor-controlled devices into victim MFA solutions. Following initial access, attackers pivot into SaaS environments to exfiltrate sensitive data.
Silent Push researchers identified over 100 organizations across multiple industries that have been actively targeted or had infrastructure prepared for attacks in the last 30 days. The list includes technology companies like Atlassian, Canva, Epic Games, HubSpot, and RingCentral. Being on this list doesn’t confirm a breach, but indicates the breadth of the targeting effort.
The Broader Context
ShinyHunters has executed similar operations before. Last year, the group stole data from hundreds of Salesforce customers using comparable tactics. The techniques have proven effective enough that other criminal groups are adopting them. Research suggests coordination with groups like Scattered Spider, who have been running their own SSO-focused campaigns.
Voice phishing attacks increased 442% from the first half of 2024 to the second half. The dramatic rise reflects both the effectiveness of these attacks and the fact that many organizations still rely on authentication methods vulnerable to social engineering.
Push notifications can be approved by distracted users. SMS codes can be intercepted or phished. Time-based one-time passwords can be captured in real time during vishing calls. Each of these methods has weaknesses that skilled social engineers know how to exploit.
Practical Defenses
Organizations can take several concrete steps to reduce their risk:
- Deploy phishing-resistant MFA. FIDO2 security keys and passkeys provide authentication that can’t be phished. Even if an employee falls for social engineering and attempts to authenticate on a fake site, the authentication will fail. Mandiant specifically recommends these protections because they’re resistant to social engineering in ways that push-based or SMS authentication are not.
- Monitor SSO and API activity. Watch for unusual login locations, unauthorized device enrollments, and anomalous API calls. An employee who normally logs in from one location suddenly appearing to access systems from another country should trigger immediate investigation.
- Implement strict app authorization policies. Not every user needs access to every connected service. Tighter scoping limits the potential damage from compromised credentials.
- Train employees on vishing tactics. Legitimate IT departments rarely call out of the blue requesting credentials or MFA codes. Employees should know to verify any such requests by contacting IT through official channels rather than trusting an unexpected caller.
Crunchbase, which hadn’t previously disclosed a breach, confirmed that a threat actor exfiltrated documents from their corporate network. The company has contained the incident and engaged cybersecurity experts and federal law enforcement.
What This Means Going Forward
The ShinyHunters campaign demonstrates that sophisticated technical defenses mean little when attackers can simply call someone and request access. The group didn’t need to exploit software vulnerabilities or overcome complex security architecture, they just convinced people to hand over credentials.
This reality check is important for security teams. Organizations invest heavily in firewalls, endpoint protection, and threat detection systems. But these defenses can be bypassed through social engineering if employees aren’t trained to recognize vishing attempts and if authentication methods remain vulnerable to phishing.
The techniques ShinyHunters is using will continue spreading. Other criminal groups will adopt these methods as they prove effective. Organizations need to move beyond authentication systems that can be socially engineered and implement defenses that work even when an attacker successfully tricks an employee.
The alternative is waiting to appear on the next data leak site.
